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Financial Management Specialist, 

Karachi Mobility Project — Yellow Line BRTS, 
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Karachi. 


SUBJECT: GOVERNANCE ASSESSMENT OF SINDH MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 
MOBILITY PROJECT). 








I am in recept of your letter reference number 
FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 
and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 
to you. 


COMMUNICATION SPECIALIST 


C.c to: 

„1: PS to Project Director, Karachi Mobility Project. 
2. Master File. 
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Description of 
SMTA control 





Control Objectives 


ontrol Environment : . 
fegrity, ethical values, and behavior of key executives - The effectiveness of controls depends on the integrity and ethical 


lues of the people who create and administer them. The control environment is influenced by how management 
mmunicates ethical standards and reinforces them in practice - through policies and codes of conduct, and by example. 


‚des of conduct and other policies regarding acceptable 
siness practices, conflicts of interest, or expected 
indards of ethical or moral behavior exist and have 

‘en implemented. 


Control Considerations 


as Sa 











Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, Or 
expected standards of ethical or moral behavior 
and have they been implemented and 
communicated effectively? 











Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and 
insider trading? 





Are the codes periodically acknowledged by all 


employees? 
Are training programs conducted to ensure that 


employees understand the codes of conduct? 





Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 

Tf a written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? 

Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 
do if they encounter improper behavior? 











Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement any 
appropriate changes in company policies or 
business practices in a timely manner? 


Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation; 
occupational safety and health; environmental protection; 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons; 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local; HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance, communications; 


Is a register and record of complaints 
maintained regarding significant laws with 


which the entity is required to comply within its 








Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 





Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 
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Tone at the top," including explicit moral guidance 
vout what is right and wrong, has been established and 
ommunicated throughout the organization. 


fanagement conducts business with employees, 

uppliers, customers, investors, creditors, insurers, 
ompetitors, and auditors, etc. on a high ethical plane and 
ısists that others do so. 


remedial action taken in response to departures from 
pproved policies and procedures is appropriate and is 
;ommunicated or otherwise becomes known throughout 
he organization. 


The achievement of performance targets is reasonable - 
yarticularly for short-term results - and compensation is 
10t overly dependent upon their achievement. 






ensure that employees are familiar with the N 6 
recent changes/ammendments of laws to have 

better idea of these cheanges? 

Is commitment to integrity and ethics 
communicated effectively throughout the 
organization, both in words and deeds? 
Do employees feel peer pressure to do the right 
thing, and do they avoid cutting corners to 
increase short-term profit? 
Does management appropriately deal with signs 
that problems exist, e.g., potential defective 
products or hazardous wastes, especially when 
Are training programs/workshops conducted for 
employees' moral guidance regarding 
organization policy for prohibiting employees 
from accepting gifts from vendors? 
Are everyday dealings with customers, 
suppliers, employees, and other parties based on 
honesty and fairness (e.g., customer's over- 
payment or supplier's under billing is not 
ignored; no efforts are made to find a way to 
reject an employee’s legitimate claim for 
benefits; and reports to lenders are complete, 


accurate. and not misleading)? 
Does management respond appropriately to 


violations of behavioral standards? 
Are disciplinary actions taken as a result of 
violations widely communicated in the entity? 

































Do employees believe that, if caught violating 
behavioral standards, there will be 
repercussions? 





Has management provided guidance on the 
situations and frequency with which 
intervention may be needed? 
Is management intervention documented and 
explained appropriately? 





Are deviations from established policies 
investigated and documented? 





Is there an absence of extreme incentives or 
temptations that can unnecessarily and unfairly 
test people's adherence to ethical values? 





Are compensation and promotions based on 
factors other than solely the achievement of 


short term performance targets? 
Are controls in place to reduce temptations that 


might otherwise exist? 








lanagement’s intervention of established controls is 
ıppropriate and well controlled. 








Commitment to Competence - Management must specify the level of competence needed for particular jobs, and translate the 
desired level of competence into requisite knowledge and skills. 
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fining tasks that comprise particular jobs have been informal basis, the tasks comprising particular ied 
:ablished. jobs, considering such factors as the extent to I Es 
which individuals must exercise judgment and 
a Sta e i A 9 
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Has management adequately determined the 
knowledge and skills needed to perform 

particular jobs? 
Does evidence exist indicating that employees 
and key managers appear to have the requisite 


knowledge and skills for their job functions? 


ralyses of the knowledge and skills needed to perform 
bs adequately have been performed. 









Does management demonstrate a commitment 
to provide sufficient competent accounting and 

financial personnel to keep pace with the growth 
and/or complexity of the business? 


he SMTA Board or Audit Committee - The board and 
s audit committee play an important role in setting 
1e tone at the top. Qualities include the board or 
udit committee's independence from management, 
1e experience and stature of its members, the extent 
f its involvement and oversight of activities, the 
egree to which difficult questions are raised and 
ursued with management, and its interaction with 


ndependence from management has been achieved, such Does the board include independent 
directors/members with appropriate background 


aat necessary, even if difficult and probing, questions are 
aised. and expertise, given the nature of SMTA? 











Has the independence of outside board members 
been adequately reviewed, including 


affıliations? 
Does the board constructively challenge 


management's planned decisions for strategic 
initiatives and major transactions, and probe for 
LE of past results (e.g., budget 








Does the board and/or audit committee 
represent an informed, vigilant and effective 
overseer of the financial reporting process and 





Does the board and/or audit committee give 
sufficient consideration to understanding 
managements processes Ar monitoring business 





Does a board that consists solely of an entity”s 
officers and employees (e.g., a small 

corporation) question and scrutinize activities, 
present alternative views and take appropriate 





[Board committees are used, where warranted by the need Do board committees exist? 
for more in-depth or directed attention to particular 


matters. 





Are the existing committees sufficient, in 
subject matter and membership, to deal with 
important issues adequately? 
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Does the audit committee have adequate 
resources and authority to discharge its 
responsibilities? 
Do directors/members have sufficient 
knowledge, industry experience and time to 
serve effectively? 
Does the audit committee include at least one 
"financial expert"? 
Does the audit committee meet privately with 
the chief accounting officer(Director F&A) and 
internal and external auditors to discuss the 
reasonableness of the financial reporting 
process, system of internal control, significant 
comments and recommendations, and 














Directors/members on the board are knowledgeable and 
experienced. 


Frequency and timeliness with which meetings are held 
with Dirctor (F&A) and/or accounting officers, internal 
auditors and external auditors are adequate. 


Sufficient information is provided to the board or 
committee members on a timely basis to allow 
monitoring of management's objectives and strategies, the 
entity's financial position and operating results, and terms 
\of significant agreements. 








Does the audit committee review the scope of 
activities of the internal and external auditors at 
least quarterly? 
Does the board regularly receive key 
information, such as business plans, financial 
statements, major project initiatives, significant 
contracts or negotiations? 
Is the audit committee kept apprised of 
accounting standards / Government Policies that 
impact SMTA, particularly with respect to 
judgmental areas involving the use of 


























Do directors/members believe they receive the 
proper information? 
Does a process exist for informing the board of 
significant issues? 
Is information communicated in a timely 
manner? 












Sufficient sensitive information is provided to the board 
or audit committee regarding investigations and improper 
acts (e.g., project delays, cost over runs, travel expenses 
of senior officers, significant litigation, Investigations of 
regulatory agencies, defalcations, embezzlement or 
misuse of corporate assets, violations of insider trader 
rules, political payments, illegal payments). 









Does the compensation committee approve all 
management incentive plans tied to 


performance? 
Does the compensation committee, in joint 


consultation with the audit committee, deal with 
compensation and retention issues regarding the 


internal auditor? 
Is the board and/or audit committee involved 


sufficiently in evaluating the effectiveness of the 
"tone at the top"? 
Does the board take steps to ensure an 
appropriate "tone"? 


The board and/or audit committee provides oversight in 
determining the compensation of executive officers and 
internal auditor, and the appointment and termination of 
those individuals. 












The board and/or audit committee has a significant role 


in establishing the appropriate "tone at the top. 
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management's adherence to the code of YE E 
conduct? — 
he board or audit committee takes appropriate actions Has the board or audit committee issued 
3 a result of its findings, including special investigations, directives to management detailing specific 7 Ë a 
s needed, actions to be taken? 
Does the board or audit committee oversee and 
take prompt action to follow-up its findings? 7 E S 


Aanagement's Philosophy And Operating Style - Management's attitudes toward controls are reflected in how it accepts and 
nanages business risks. Management may be conservative or aggressive in selecting accounting principles and in developing 


Aanagement evaluates business risks prior to accepting Does management move cautiously, proceeding 
hose risks (e.g., high risk ventures, extremely 
:onservative ventures). 


only after carefully analyzing the risks and 
Management monitors personnel turnover in key 
‘unctions (e.g., operations, accounting, data processing, 
Internal audit). 


potential benefits of a venture? 
Are there appropriate policies for such matters 
as accepting new business and conflicts of 
Management has the appropriate attitude relative to the 
information systems processing and payment & 


interest which are adequately communicated 
throughout the organization? 
reliability of financial reporting and the safeguarding of 











Has turnover of management or supervisory 
personnel been normal, rather than excessive? 





Have key personnel left only after giving proper 
notice, rather than quitting unexpectedly or on 


short notice? 
Has turnover of personnel other than 


management been normal, rather than 


excessive? 
Does management give appropriate attention to 


internal controls? 

Is the accounting function viewed as a vehicle 
for exercising control over the entity's various 
activities, rather than as a necessary group of 












Does the selection of accounting and 
government principles used in financial 

statements result in a fair presentation, as 
opposed to always resulting in the highest 


CDOLLICO sd nes? 








If the accounting function is decentralized, does 
operating management “sign off” on report 


results? 
Do business unit accounting personnel also have 


responsibility to central financial officers? 





Are valuable assets, including intellectual 
property and information, protected from 


unauthorized access or use? 
Do senior managers frequently visit projects or 





divisional operations? 
Are project or divisional management meetings 


held frequently? 
Is there a mechanism available to remotly 


access overall project progress? 





from geographically remote locations-. 





There is frequent interaction between senior management 
and operating management, particularly when operating 






Does management avoid excessive focus on 
short-term reported results? 
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Management has a positive attitude and takes appropriate 
actions toward financial / Government / Donor reporting, 
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aatments (e.g., selection of conservative vs. liberal inappropriate reports to meet targets (e.g. er 
‘licies, whether accounting principles have been salospcople submitting orders to meet targets, | ES 


isapplied, important financial information not knowing customers will retut goods in the next 


sclosed, or records manipulated or falsified). period)? 


Have managers’ actions been proper, with no Y ES 
apparent signs of inappropriate practices? 
reanizational Structure - The or anizational structure is the framework that allows a company to carry out its activities. It 


efines how the parts of SMTA fit to ether, defines key areas of res onsibility and establishes lines of authority and 
ropriateness of an entity's or anizational structure depends on its size, its goals and the nature of its 











ctivities. 


‘he entity's organizational structure, and its ability to 
rovide the necessary information flow to manage its 
ctivities, are appropriate. 


Cey managers' responsibilities are adequately defined, 
nanagers understand these responsibilities, and their 
mowledge and experience are adequate in light of their 





Is the organizational structure appropriately 
centralized or decentralized, given the nature of 


the entity's operations? 
Does the structure facilitate the flow of 


information upstream, downstream and across 


all business activities? 
Are responsibilities and expectations for the 


entity's business activities communicated clearly 
to the executives in charge of those activities? 















‘esponsibilities. 


Reporting relationships are appropriate within the entity. i 


Are knowledge and experience of key managers 
adequate for their responsibilities? 

Are established reporting relationships (whether 
formal or informal, direct or matrix) effective, 
and do they provide managers information 
appropriate to thcir responsibilities and 














Do the executives responsible for business 





activities have access to communication y ES 
channels to senior operating management? 
Modifications to the organizational structure are made Does management periodically evaluate the . 
appropriately based on changed conditions. 5 entity's organizational structure in light of y EC 
changes in the business or industry? 





Do managers and supervisors have sufficient 
time to carry out their responsibilities 





Do managers and supervisors work normal, 
rather than excessive amounts of overtime, thus 
fulfilling a manageable level of responsibilities 








Sufficient numbers of employees exist, particularly in 
management and supervisory capacities. 


Assignment of Authority and Responsibility - The assignment of responsibilities, 
related policies provide a basis for accountability and control. It involves the degree to which individuals and teams are 
encouraged to use initiative in addressing issues and resolving problems as well as limits of their authority. A critical 


challenge is to delegate only to the extent required to achieve objectives 





delegation of authority and establishment of 












Is authority and responsibility assigned to 
employees throughout the entity? 
Are the number of people with requisite skill 
levels relative to the size of the entity, nature 
and complexity of activities and systems 
Do job descriptions contain specific references 
ties? 


Responsibility and delegation of authority are assigned to 
deal with organizational goals and objectives, operating 
functions and regulatory requirements, including 
information systems and authorization for changes. 

















Control-related standards and procedures, including 


employee job descriptions are appropriate. to control-related responsibili 





Jeloyated AUTNOTITY IT retduto LU assızllvu UA an epee e 
esponsibilities is appropriate. authority needed to "get the job donc" and the 
involvement of senior personnel where needed? 








Are employees at the “right” level of 
empowerment to correct problems or implement 
improvements, and is empowerment 
accompanied by appropriate levels of 
competence and clear boundaries of authority? 
Is responsibility for information systems 
processing and program development clear? 


Human Resources Policies and Practices - Human resource policies and practices relate to hiring, training, evaluating, 
compensating and terminating employees. Management's expectations of performance and behavior are communicated 


through training and performance review. 


Policies and procedures for hiring, training, promoting Are there policies and procedures for hiring, 
and compensating employees are in place. training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.g., 
nting ? 
Do existing personnel policies and procedures 
result in recruiting or developing competent and 











trustworthy people necessary to support an 
effective internal control system? 





When formal documentation of policies and 
procedures does not exist, does management 
communicate expectations about the type of 


people to be hired or participate directly in the 
i 5 


Are new employees made aware of their 
responsibilities and management's expectations 









People are made aware of their responsibilities and 
expectations for them. 








Do supervisory personnel meet periodically 
with employees to review job performance and 


suggestions for improvement? 
Is management's response to failures to carry 


out assigned responsibilities appropriate? 





Remedial action taken in response to departures from 
approved policies and procedures are appropriate. 





Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





Do employees understand that ineffective 
performance will result in remedial 

consequences? 
Are integrity and ethical values considered as 
criteria in performance appraisals? 
Are candidates with frequent job changes or 


gaps in employment history subjected to 
particularl 





Personnel policies address adherence to appropriate 
ethical and moral standards. 
Employee candidate background checks, particularly 
with regard to prior actions or activities considered to be 
unacceptable by the entity, are performed, 
















close scrutiny? 
Do hiring policies require investigation for a 
criminal record? 
Are promotion and salary increase criteria 
detailed clearly so that individuals know what 
management expects prior to promotions Or 

advancement? 












Employee retention, promotion criteria, information- 
gathering techniques (e.g., performance evaluations) and 
relation to the code of conduct or other behavioral 
guidelines are adequate. 
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Risk Assessment Bar 
intity-Wide Objectives - Entity-wide objectives, required to have effective control, include broad statements or what an 


mtity desires to achieve, and are supported by related strategic plans. Objective setting is a precondition to risk assessment. 
Chere first must be objectives before management can identify risks to their achievement and take necessary actions to 








nanage the risks. 


Intity-wide objectives provide sufficiently broad Has management established entity-wide 
statements and guidance on what the entity desires to 
ıchieve, yet are specific enough to relate directly to this 


objectives? 
Are the entity wide objectives different than 
generic objectives that could apply to any entity 
(e.g., generate sufficient cash flow to service 
debt, or produce a reasonable return on 









antity. 


Entity-wide objectivos are effectively communicated to 
employees and board of directors/members and 
periodically undated. 

Business/Operational strategies are consistent with entity- 
wide objectives and regularly reviewed. 


Business/Operational plans and budgets are consistent 
with entity-wide objectives, strategic plans and current 
conditions. 





DYESIMEN 
Is information on the entity-wide objectives 


disseminated to employees and the board of 


directors/members? 
Does management obtain feedback from key 


managers, other employees and the board 
signifying that communication to employees is 
effective? 

Does the strategic plan support the entity-wide 
objectives? 

Does the strategic plan address high level 
resource allocations and priorities? 

Is the strategic plan periodically reviewed and 
updated and approved by the entity's board of 


directors/members? 
Do assumptions inherent in the plans and 


budgets reflect the entity's historical experience 


and current conditions? 
Are plans and budgets at an appropriate level of 


detail for each management level? 
Activity-Level Objectives - Activity-level objectives flow from and are linked with the entity-wide objectives and strategies. 
Activity-level objectives are frequently stated as goals with specific targets and deadlines. Objectives are established for each 
significant activity, and those activity-level objectives are consistent with each other. 




































Have activity-level objectives been established 
for all significant business processes? 
Is there adequate linkage between activity-level 
objectives, entity-wide objectives and strategic 


plans? 
Are activity level objectives reviewed from time 


to time for continued relevance? 
Are they complementary and reinforcing within 
activities? 


Arefhey gomple -aF FR ASS 
between activities? 


Áre objectives established for key activities in 
the flows of goods and services and support 
activities? 


Activity-level objectives have been established; there is 
linkage between activity-level objective and entity-wide 
objectives; and strategic plans and objectives are 

consistent. 











Activity-level objectives are consistent with each other. 





Activity-level objectives are relevant to all significant 
business processes. 
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practices and performances or with industry or —, 
functional metrics, and have the reasons for 5 ES 
variances been considered? 





Are objectives established for each significant 


stivity-level objectives are specific, measurable and are Do objectives include assessment criteria that 
onitored. Adequate resources are available to achieve are specific, measurable, achievable, realistic 
e objectives. and time based? 

Are objectives monitored on a regular basis? 





Are current resources sufficient to achieve 
objectives or has management identified the 
resources needed? 


bjectives that are important (critical success factors) to Has management identified what must go right, 
shievement of entity-wide objectives are identified. or where failure must be avoided, for entity- 
Are capital spending and expense budgets based 











wide objectives to be achieved? 

on management's analysis of the relative 
importance of objectives? 

Do the objectives serving as critical success 


factors provide a basis for particular 

agement focus? 

Do managers participate in establishing activity 
objectives for which they are responsible? 











Do procedures exist to resolve disagreements? 


man 
111 appropriate levels of management are involved in 
‚bjective setting and demonstrate commitment to the 
ybjectives. 
Do managers support the objeclives, and not 
have "hidden agendas? 
Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
level and the activity level. The risk-assessment process should consider external and internal factors that could impact 
achievement of the objectives, should analyze the risks, and provide a basis for managing them. 


Are there adequate mechanisms in place to 
identify external risks that prevent the 
achievement of business objectives? External 


es may include: 
Supply sources 














Mechanisms are in place to identify risks arising from 
external sources. 





Economic conditions 


Mechanisms are in place to identify risks arising from 
internal sources. 





Finance (e.g., availability of funds for new 
initiatives or continuation of key programs 
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"he risk analysis process is thorough and includes 
stimating the significance of risks, assessing the 
ikelihood of their occurring and identifying steps to 
nitigate them. 


The risk assessment process is adequately monitored by 
senior management and/or the board. 


Are procedures performed to identify significant 
risks for each entity/projec/directorate and 
significant activity-level objective? 

Are risks analyzed to determine their 
significance and rate the likelihood and 
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Research & Development 












Marketing/Communicaton 











consequence of their occurring? 
Are risks analyzed to determine what steps are 


required to mitigate the risk, if appropriate? 





Does the board or audit committee oversee and 
monitor the risk assessment program and ensure 
appropriate action is taken for significant risks? 


le 


Managing Change — Economic, industry and regulatory environments change and entities? activities evolve. Mechanisms are 


needed to identify and react to changing conditions. 


Mechanisms exist to anticipate, identify and react to 
routine events or activities that affect achievement of 
entity or activity-level objectives. 


Mechanisms exist to identify and react to changes that 
can have amore dramatic and pervasive effect on the 












IPSAS/GFR Compliance — Entity a 


The accounting department has established processes to 
(1) identify significant changes in International Public 
Sector Accounting Standards (IPSAS) / Government 
Financial Rules (GFR) promulgated by relevant 
authoritative bodies (Controller General of Accounts), 
(2) notify the accounting department of changes in the 
entity’s business practices that may affect the method or 
the process of recording transactions, and (3) identify 
significant changes in internal control or the operating 
environment, including changes as a result of new or 
changing regulations 


react to routine events or activities that affeot 
achievement of entity or activity-level 

Are risks and opportunities related to the 
changes addressed at sufficiently high levels in 


entity, and may demand the attention of top management. 


ccounting practices should accurately reflect current IPSAS/GFR and other regulatory 





Do mechanisms exist to anticipate, identify and 








the organization so their full implications are 
identified, and appropriate action plans 






Are mechanisms in place to identify and react to 
changes that may impact the organization's 
mission and strategy and therefore affect entity- 
wide and activity-level objectives (e.g., rapid 


growth, new products, business acquisition, 
turing)? 














Does the accounting department have a process 
in place to identify and address changes in 

IPSAS/GER, as well as for approving changes 
in accounting made to address such changes? 











Does management work with SMTA’s 
independent auditors or other third party experts 
to determine if they are addressing complex 
changes in IPSAS/GFR appropriately? 


Does the board of directors/members and/or the 
audit committee review and approve significant 
changes in the entity’s accounting practices? 
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Control Activities 
Policies and Procedures - Policies establish what sho 
be done and procedures explain how it is carried out. 
Policies may be communicated orally or written. 
Regardless of method they must be implemented 
conscientiously and consistently. 








uld 
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department is made aware of changes in the 
operating environment so they can review the fe. 
changes and determine what, if any, effect | E SS 
change may have on the entity’s accounting 
practices? 

Are there channels of communication between 
the accounting department and/or individual(s) 
in charge of monitoring regulatory rules so the 
accounting department is aware of regulatory 
changes that could affect the entity’s accounting 
practices? 












Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 
determine whether such transactions are 
appropriately accounted for and disclosed? 
Evaluate to what degree the DFA and Controller 
periodically review and approve the accounting 
practices as being in accordance with 
IPSAS/GFR and meeting the needs of the issuer. 
Does the DFA or Controller review and assess 
the ability and expertise of accounting personnel 
at cach of its subsidiaries to properly report 
relevant information for disclosure purposes? 











Are there controls in place to ensure relevant 
information is captured at the lowest level to 
ensure proper reporting at the consolidated 








Are there policies and procedures in place to 
ensure the preparation of the statement of cash 
flows is in accordance with applicable 

frameworks? 


Are there policies and procedures (informal or 
documented) for generation of accounting 

transactions and financial statements and over 
developing and modifying accounting systems 








Are accounting and closing practices followed 
consistently at interim dates (e.g. monthly, 





Do appropriate levels of management review 
significant accounting estimates and support for 
unusual transactions and non-standard journal 

entries? 
Is documentation for transactions timely and 
appropriate? 
Are policies and procedures reviewed 
periodically to determine continued 
appropriateness? 
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a TE 1 
management? 
‘ary Controls - Management has clear budget, Does a budgeting system exist and is it 
yrofit, and other financial and operating goals. These appropriate and comprehensive in relation to J ES 
soals are clearly written and communicated throughout entity's structure? _ 
he entity, and are actively monitored and variances Does management appropriately review key f 
significant variances? 
Are significant variances investigated and is 
Are variances in planned performance 


reside with the appropriate levels of YES 
ıddressed. performance indicators regularly and identify 

appropriate corrective action taken? 

directors/members and/or audit committee on a 


Do financial statements and management reports 
submitted by various reporting units include 
analytical comments and analysis? 

Is there appropriate segregation of incompatible 
duties in general? 








different people to reduce the risk of fraud or 
ar 






inappropriate actions. Note: Specific areas o 


segregation of duties will be covered within the business 


Safeguarding of Assets - Periodic comparisons are made 
of amounts recorded in the accounting system with 
physical assets. Adequate safeguards are in place to 


Segregation of Duties — Duties are logically divided or 
segregated (whether manually or through appropriate set 
up of information technology applications) among 





Has management established procedures to 
prevent unauthorized access to, or destruction 


of. documents, records, and assets? 


investigated to determine the reason for the 
adjustment and are appropriate actions taken to 


address the root causes for the adjustments? 









prevent unauthorized access to or destruction of 
documents, records, and assets. Note: Specific areas o 
safeguarding of assets will be covered within the 
sections. 











business process analysis 




















Do formal policies and procedures exist to 

address: 

Stockholder records, stock issuance and 
stock transactions? 


Shareholder Matters — Shareholder matters should be 
properly authorized and recorded. 





Are stockholder records completely and 
accurately maintained? 
Are transactions for the following valid, 
authorized, complete, accurate and processed on 


a timely basis and documented? 













Information and Communication E 
Information - Information is identified, captured, processed and reported by information systems. Relevant information 
includes industry, economic and regulatory information obtained from external sources, as well as internally generated 

information. This information enables people to carry out their responsibilities. 
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!xteınal and internal information 15 obtained, ana ° LU P1UVSUU1CS IV ut ara 
yrovides management with necessary reports on the review control processes to ensure that the le E < 
*ntity's performance relative to established entity-wide O s are bein ied as expected? 
Jbjectives. e Are procedures in place to monitor when 
controls are overridden and to determine ifthe 
override was appropriate? 
e Are policies/procedures in place to assure 
that corrective action is taken on a timely basis 
















when control exceptions occur? 
Is internally generated information critical 


Information is provided to the right people in sufficient e Doman 

detail and on time to enable them to carry out their enables them to identify what action needs to be 

responsibilities efficiently and effectively to achieve ken? 

activity-level objectives. e Is information provided at the right level of 
detail for different levels of management? 





















e  Isinformation summarized appropriately, 
providing pertinent information while 
permitting closer inspection of details as needed 
athe niust a "se "2 
e Isinformation available on a timely basis 
to allow effective monitoring of events and 
activities - internal and external - and prompt 
reaction to economic and business factors and 


Qntro es? 











Is the entity able to prepare accurate and 
timely financial reports, including interim 


Information systems provide management with necessary 
reports on the entity’s performance relative to established 
objectives. 





Is there a high level of user satisfaction 
with information systems processing, including 
eliability and timeli of reports? 

e Has the internal control environment at the 
service organization been documented and 
tested by an independent third party for the 
relevant functions? 
e Does the timing of the documentation and 
testing performed by the independent third party 
cover a significant portion of the year? 
















Internal controls over significant applications or 
transactions that are executed/processed by service 
organizations are effective. 





Communication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
dealing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 
and up an organization and with parties external to the organization. 

















e Are employees’ roles and responsibilities 
regarding internal control and risk assessment 


communicated clearly and effectively by 
š 9 


Do employees know the objectives of their 
r duties contribute to 


Employees' duties and control responsibilities are 
effectively communicated. 

















Channels of communication for people to report 
suspected improprieties have been established. 


°  Isthere a way to communicate upstream 
through someone other than a direct superior, 
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° Are persons who report suspected 
improprieties provided feedback, and do they 

ave immunitv from reprisals? 
ə Are all reported potential improprieties 
reviewed, investigated and resolved in a timely 















Aanagement is receptive to employee suggestions of 
vays to enhance productivity, quality or other similar 
mprovements? i 
inefi gnition? 


employees to provide recommendations for 
Sommunication across the organization is effective (for e Do salespeople inform engineering, 
>xample, between procurement and production activities) production and marketing of customer needs? 





e Are realistic mechanisms in place for 
mprovement? 
Does management acknowledge good 
providing cash awards 
and the completeness and timeliness of information is 
sufficient to enable people to discharge their 
responsibilities effectively. Does information on competitors' new 
ngineering, 


Do feedback m 
parties exist? 

e Are suggestions, complaints and other 
input captured and communicated to relevant 
inte parties? 

e Is information reported upstream as 
necessary and follow-up action taken? 
e _ Are important communications to outside 
parties delivered by management level 
commensurate with the nature and importance 
of the message (e.g., senior executive 





echanisms with all pertinent 








Channels with customers, suppliers and other external 
parties for communicating information on changing needs 
are open and effective. 


Outside parties are made aware of the entity's ethical 
standards. 








d ang aQ l de nani ie 2 
e Do suppliers, customers and others know 
the entity's standards and expectations regarding 


ions in dealing with the entity? 
e Are improprieties by employees of external 


parties reported to the appropriate personnel? 











Follow-up action by management resulting from 
communications received from customers, vendors, 
regulators or other external parties is timely and 
appropriate. 


e _ Are personnel receptive to reported 
problems regarding products, services or other 


matters, and are such reports investigated and 
9 
DO 


° _ Are errors in customer billings corrected, 
and the source of the error investigated and 





e Do appropriate personnel independent of 
those involved with the original transactions 


omplaints? 
° Are appropriate actions taken and is there 
follow-up communication with the original 
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and volume of com laints? De 








Tonitoring 
ngoing Monitoring - Ongoing monitoring occurs in the ordinary course of operations, and includes regular manage 
and other actions personnel take in performing their duties that assess the quality of internal 

Additional monitoring controls will be covered within the business process analysis sections. 


ment 





1d supervisory activities, 
yntrol system performance, Note: 


ersonnel, in carrying out their regular activities, 
:gularly obtain evidence as to whether the system of 









e Are operating personnel required to “sign 
off’ on the accuracy of their units’ financial 
statements, and are they held responsible if 
e discovered” 
Are customers” complaints recorded and 


1ternal control continues to function. 





‘ommunications from external parties, that corroborates 
ıternally generated information or indicates problems, is 


ffectively gathered and used. 





e Doregul 
the entity regarding compliance or other matters 
that reflect on the functioning of the internal 








+ Are controls that should have prevented or 
detected the problems reassessed? 
° Are there periodic comparisons of 


accounting records to physical assets? 
e Do executives with proper authority decide 


which of the auditors’ recommendations will be 
implemented? 
+ Are desired actions followed up to verify 


implementation? 
e re relevant issues and questions raised at 








There is periodic comparison of amounts recorded by the eS 
accounting system with physical assets. 


Management is responsive to internal and external 
auditor (or external regulator) recommendations on 





means to strengthen internal controls. 





sessions and other meetings. 





Management secks feedback on whether controls operate 

effectively when conducting training seminars, planning 
upstream and acted on as appropriate? 

e Does management monitor actions toward 


financial reporting, including disputes over 
application of accounting treatments? 


Management monitors actions toward financial reporting, 
including disputes over application of accounting 
treatments (e.g., selection of conservative vs. liberal 
accounting policies, whether accounting principles have 
been misapplied, important financial information not 
disclosed, or records manipulated or falsified). 


Personnel are asked periodically to state whether they 
understand and comply with the entity's code of conduct 
and regularly perform critical control activities. 
The scope and extent of internal audit activities is 
appropriate. 
















e Are signatures required to evidence 


performance of critical control functions, such 
ns a 29 







s recon g spe ed a 1 
Are there appropriate levels of competent "t 
and experienced staff? / 
e Is their position within the organization 
appropriate? 
' Do they have access to the board of 
directors/members or audit committee? 
e Are their scope, responsibilities and audit 


plans appropriate to the organization's needs? 
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e rate Evaluations - It Is useful to take a tresh 100K at the Internal conıror system ırum ug LU une, surussup un vun vi 


j 
a el TS ——as5< 


ystem effectiveness, the scope and frequency of separate evaluations will depend primarily on an assessment of risks, and 
ıngoing monitoring procedures. 


Che scope, frequency and methodology of separate 
‚valuations of the internal control system is adequate. 
The evaluation process is appropriate and the objectives 
>f the evaluation are clearly stated. 


The methodology for evaluating a system is logical and 
appropriate and interim and final deliverables are 








e Are appropriate portions of the internal 
control system regularly evaluated? 
ə Are the evaluations conducted by 
personnel with the requisite skills? 
Are the scope, depth of covera 








ge and 






uator gain a sufficient 
ity's activities? 
e Isan understanding obtained of how the 
system is supposed to work and how it actually 












Is an analysis made, using the evaluation 
results as measured against established criteria? 








e Is the evaluation team brought together to 
plan the evaluation process and ensure a 
oordinated efi 
Is the evaluation process managed by an 
executive with requisite authority? 





adequately defined. 


















The level of documentation developed during and e Are policy manuals, organization charts, 
resulting from the evaluation is appropriate. operating instructions and the like available? 
e Is consideration given to documenting the 
evaluation process? 


Reporting Deficiencies - Internal control deficiencies should be reported upstream with certain matters reported to top 


management and the board. 


Mechanisms exist for capturing and reporting identified 
internal control deficiencies. 








e Do mechanisms exist for capturing and ” 
reporting deficiencies from both internal sources 
and external sources (e.g., customers, suppliers, 





Reporting protocols are appropriate and are followed. 






directly to appropriate individuals? 
e Are specified types of deficiencies 
reported to more senior management and to the 
° Is the identified transaction or event 


corrected? 
e Are the underlying causes of the problem 








Follow-up actions are timely and appropriate and are 
reviewed by management. 









investigated? 
e Is there follow-up to ensure the necessary 


corrective action is taken? 








2. 


he right tone for an effective internal control framework. Strong 





Fraud — Fraud prevention programs are essential to set t 
internal controls provide better opportunities to detect and deter fraud. 





Is there a positive workplace environment that 
minimizes employees’ sense of feeling abused, 
threatened or ignored? 
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Management has implemented formal communication 
mechanisms, internal controls, and internal or external 
oversight processes to effectively prevent or deter fraud. 


Vo 1 


Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 


rust? 
Does SMTA react to and deal with acts of fraud 


in a manner that sends a strong message 
throuehout SMTA that helps reduce the 


likelihood of future incidents? 
Are there ongoing internal fraud communication 


programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 

Do communications to external parties regularly 
state SMTA's position on fraudulent activity and 
the potential consequences if fraud is detected? 




















Has management implemented and does it 
continuously monitor the operation of internal 
controls designed to mitigate the risk of fraud? 





Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 
appropriate influence over the financial 
reporting process? 








Does management make changes to the 
processes of the organization to reduce or 
eliminate the risk of fraud? 
Does the audit committee or board of 
directors/members evaluate management's 

identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 


Management has included the identification of fraud risks 
in its entity--wide risk assessment program or has 
established a separate risk assessment program that 
considers the vulnerability of SMTA to fraudulent 
activities. 











Does management review identified fraud risks 
with the audit committee and seek guidance 
from the audit committee as to other associated 





Do internal auditors examine and evaluate 
adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 
proactive auditing: to search for corruption, 
misappropriation of assets, and financial 
statement fraud? 

Does management perform fraud brainstorming 
sessions? 

Have critical controls been identified to address 
identified fraud risks? 


Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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GOVERNMENT OF SINDH 
Karachi Urban Mobility Project 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT 
DEPARTMENT 

No. SDS/YLC/SMTA/2021/ 001 Karachi Dated: July 26, 2021 





Financial Management Specialist, 

Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 

Karachi. 


SUBJECT: GOVERNANCE ASSESSMENT OF SINDH MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 
MOBILITY PROJECT). 








I am in recept of your letter reference number 
FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 
and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 


to you. 
SOCIAL DEVELOPMENT SPECIALIST 

C.c to: 

X PS to Project Director, Karachi Mobility Project. 

2. Master File. 
Enclosure: SA 

1. Filled-in Questionnaire aie 

. a 


> 
k 





House # D-43/1, Block 2 Clifton, Karachi, 75600 Tel: 021 99333208 Ext.30 Email: sds.kmp.yle@gmail.com 


C 


GOVERNMENT OF SINDH 
Karachi Mobility Project 
(YELLOW LINE BRTS) 

SINDH MASS TRANSIT AUTHORITY 





H » pst 
No. FMS/CG INLC/SMT. A/2021 Karachi Dated: 1 July 2021 


To, 

1. Director HR & Administration, 2. Director F & A, SMTA 
SMTA 

3. Director Infrastructure & Projects, 4. Procurement & Contract Management 
SMTA Specialists , KMP-YLC 

5, Safety Health Environment Quality 6. Gender Specialist KMP-YLC 
Specialist KMP-YLC 

7. Communication Specialist KMP- 8. Social Specialist KMP-YLC 
YLC 


Subject: GOVERNANCE ASSESSMENT 
AUTHORITY_UNDER THE_IBRD LO 


MOBILITY PROJECT). 





I am directed to refer to the subject mentioned above and to say that Government 
of Sindh, through Sindh Mass Transit Authority (SMTA), Transport and Mass Transit 
Department (TMTD) is implementing Karachi Urban Mobility Project Yellow Line Corridor, 
which is funded the World Bank under IBRD Loan No. 8995-PK (Karachi Mobility Project) . 
The World Bank has now required to assess and report to the Bank over all Governance 
Structure and Internal Controls of Sindh Mass Transit Authority. 


In this regard, the World Bank has approved a questionnaire that is requested to 
be filled in by all directorates and projects under the control of SMTA. The same questionnaire 
is attached for your office to be filled in and sent back to the Project Director Karachi Mobility 
Project — Yellow Line BRTs by the close of business day on 16-07-2021 by surface mail / hard 
copy as well as on email to fms.ylc.kmp@gmail.com and pd.kmp.yle@gmail.com. The same 
questionnaire will also be emailed to you. 





Ce: 


1. PS to the Secretary Transport and Mass Transit Department, Government of Sindh 
2, PS to the Managing Director Sindh Mass Transit Authority, TMTD, Government of Sindh 
3, PS to the Project Director, Karachi Mobility Project 





Plot No. D-43 & D-43/1, Shahra-e-Ghalib, Block -2, Clifton, Karachi-Ph # 021-99332207-8 


TRANSPORT & MASS TRANSIT DEPARTMENT 








ENTITY LEVEL CONTROLS 


Control Objectives 
ontrol Environment 


tegrity, ethical values, and behavior of key executives 
o create and administer them. The control environ 
ards and reinforces them in practice - through policies and codes of conduct, and by example. 


lues of the people wh 
mmunicates ethical stand 


‚des of conduct and other policies regarding acceptable 
siness practices, conflicts of interest, or expected 
ındards of ethical or moral behavior exist and have 

‚en implemented. 


Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation; 
occupational safety and health; environmental protection 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons; 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local; HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance; communications; 


3 








Description of 
ontrol 





Control Considerations 





eness of controls depends on the integrity and ethical 
ment is influenced by how management 


- The effectiv 






Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, or 
expected standards of ethical or moral behavior 
and have they been implemented and 
communicated effectively? 


Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and 
insider trading? 








Are the codes periodically acknowledged by all 
employees? 
Are training programs conducted to ensure that 
employees understand the codes of conduct? 








Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 

Ifa written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? I 

Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 
do if they encounter improper behavior? 












Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement any 
appropriate changes in company policies or 
business practices in a timely manner? 

Is a register and record of complaints 
maintained regarding significant laws with 
which the entity is required to comply within its 






Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 





Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 
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Description of 
SMTA control 





Control Considerations 
Are training programs/workshops conducted to 
ensure that employees are familiar with the 
recent changes/ammendments of laws to have 
better idea ofthese cheanges? 


Is commitment to integrity and ethics 
communicated effectively throughout the 
organization, both in words and deeds? 
Do employees feel peer pressure to do the right 
thing, and do they avoid cutting corners to 
increase short-term profit? 
Does management appropriately deal with signs 
that problems exist, e.g., potential defective 
products or hazardous wastes, especially when 
Are training programs/workshops conducted for 
employees' moral guidance regarding 
ie poly for ppoabitating employees 


Control Objectives 


nstruction; medical; real estate; transportation 





one at the top," including explicit moral guidance 
out what is right and wrong, has been established and 
mmunicated throughout the organization. 

















anagement conducts business with employees, 

ppliers, customers, investors, creditors, insurers, 
mpetitors, and auditors, etc. on a high ethical plane and 
sists that others do so. 


Are ld dealings with customers, 
suppliers, employees, and other parties based on 
honesty and fairness (e.g., customer's over- 
payment or supplier's under billing is not 
ignored; no efforts are made to find a way to 
reject an employee”s legitimate claim for 
benefits; and reports to lenders are complete, 





¿medial action taken in response to departures from 
proved policies and procedures is appropriate and is 
mmunicated or otherwise becomes known throughout 
2 organization. 


Does management respond appropriately to 
violations of behavioral standards? 
Are disciplinary actions taken as a result of 
violations widely communicated in the entity? 





Do employees believe that, if caught violating 
behavioral standards, there will be 
repercussions? 

Has management provided guidance on the 
situations and frequency with which 
intervention may be needed? 
Is management intervention documented and 
explained appropriately? 





anagement’s intervention of established controls is 
propriate and well controlled. 





Are deviations from established policies 
investigated and documented? 





1e achievement of performance targets is reasonable - 
rticularly for short-term results - and compensation is 
t overly dependent upon their achievement. 


Is there an absence of extreme incentives or 
temptations that can unnecessarily and unfairly 
test people's adherence to ethical values? 


Are compensation and promotions based on 
factors other than solely the achievement of 
short term performance targets? 

Are controls in place to reduce temptations that 
might otherwise exist? 


ommitment to Competence - Management must specify the level of competence needed for particular jobs, and translate the 
‘sired level of competence into requisite knowledge and skills. 
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Description of 


Control Objectives Control Considerations SMTA control 


mal or Informal job descriptions or other means of Has management analyzed, on a formal or 
ning tasks that comprise particular jobs have been informal basis, the tasks comprising particular 
ıblished. jobs, considering such factors as the extent to 
which individuals must exercise judgment and 
2 ervision? 


he extent of related D 


‘a’ 
alyses of the knowledge and skills needed to perform Has management adequately determined the 
ys adequately have been performed. knowledge and skills needed to perform 











i indicating that employees 
and key managers appear to have the requisite 
knowledge and skills for their job functions? 
Does management demonstrate a commitment 
to provide sufficient competent accounting and 
financial personnel to keep pace with the growth 

lexity of the business? 


and/or comp 








“he SMTA Board or Audit Committee - The board and 
ts audit committee play an important role in setting 
‘he tone at the top. Qualities include the board or 
audit committee's independence from management, 


ature of its members, the extent 


the experience and st 
es, the 


of its involvement and oversight of activiti 
degree to which difficult questions are raised and 
pursued with management, and its interaction with 








Does the board include independent 


directors/members with appropriate background 
and expertise, given the nature of SMTA? 


Independence fro management has been achieved, such 
that necessary, even if difficult and probing, questions are 


raised. 














Has the independence of outside board members 
been adequately reviewed, including 


affiliations? 

Does the board constructively challenge 
management's planned decisions for strategic 
initiatives and major transactions, and probe for 
explanations of past results (e.g., budget 


d and/or audit committee 
represent an informed, vigilant and effective 


overseer of the financial reporting process and 


MTA’s internal control 
Does the board and/or audit committee give 


sufficient consideration to understanding 
s processes for monitoring business 
a ing the organization? 
Does a board that consists solely of an entity’s 
officers and employees (e.g., a small 
corporation) question and scrutinize activities, 
present alternative views and take appropriate 
action if necessars 2 
Do board committees exist? 
Are the existing committees sufficient, in 
subject matter and membership, to deal with 
important issues adeg uately? 




































Board committees are used, where warranted by the need 
for more in-depth or directed attention to particular 


matters. 
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Description of 
SMTA control 


Control Objectives m 


ectors/members on the board are knowledgeable and 
erienced, 


quency and timeliness with which meetings are held 
h Dirctor (F&A) and/or accounting officers, internal 
litors and external auditors are adequate. 


fficient information is provided to the board or 
nmittee members on a timely basis to allow 

nitoring of management's objectives and strategies, the 
ity's financial position and operating results, and terms 


Control Considerations 
Where an audit committee exists, is there a 
charter outlining its duties and responsibilities? 











Does the audit committee have adequate 
resources and authority to discharge its 

responsibilities? 
Do directors/members have sufficient 
knowledge, industry experience and time to 





Does the audit committee include at least one 
"financial expert"? 
Does the audit committee meet privately with 
the chief accounting officer(Director F&A) and 
internal and external auditors to discuss the 
reasonableness of the financial reporting 
process, system of internal control, significant 
comments and fecotImenua nets, and 





Does the audit commitieo review the scope of 
activities of the internal and external auditors at 





Does the board regularly receive key 
information, such as business plans, financial 
statements, major project initiatives, significant 





Is the audit committee kept apprised of 
accounting standards / Government Policies that 
impact SMTA, particularly with respect to 
judgmental areas involving the use of 


significant agreements. 








Do directors/members believe they receive the 
proper information? 
Does a process exist for informing the board of 
ignificant issues? 
Is information communicated in a timely 
manner? 








es, political payments, illegal payments). 

e board and/or audit committee provides oversight in 
termining the compensation of executive officers and 

ernal auditor, and the appointment and termination of 
se individuals. 


Does the compensation committee approve all 
management incentive plans tied to 





Does the compensation committee, in joint 
consultation with the audit committee, deal with 


fficient sensitive information is provided to the board 
audit committee regarding investigations and improper 
s (e.g., project delays, cost over runs, travel expenses 
senior officers, significant litigation, Investigations of 
rulatory agencies, defalcations, embezzlement or 
E compensation and retention issues regarding the 





Is the board and/or audit committee involved 
sufficiently in evaluating the effectiveness of the 
"tone at the top"? 

Does the board take steps to ensure an 
appropriate "tone"? 


ıe board and/or audit committee has a significant role 
establishing the appropriate "tone at the top." 
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Description of 


Control Considerations SMTA control 


Control Objectives Ml 
Does the board specifically address 
management's adherence to the code of 


> board or audit committee takes appropriate actions r audit committee issued 
a result of its findings, including special investigations, directives to management detailing specific 
actions to be taken? 













needed. 
Does the board or a dit committee oversee and 
take prompt action to follow-up its findings? 


s are reflected in how it accepts and 





[anagement's Philoso hv And Operating St le - Management's attitudes toward control 
¡anages business risks. Management ma be conservative or aggressive in selecting accounting principles and in developing 


lanagement evaluates business risks prior to accepting Does management move cautiously, proceeding 
jose risks (e.g., high risk ventures, extremely only after carefully analyzing the risks and 




















onservative ventures). potential benefits of a venture? 
Are there appropriate policies for such matters 


as accepting new business and conflicts of 
interest which are adequately communicated 
e organization? 


O d d 
Management monitors personnel turnover in key over of management or supervisory 
functions (e.g., operations, accounting, data processing, personnel been normal, rather than excessive? 
Internal audit). e key personnel left only after giving proper 
















notice, rather than quitting unexpectedly or on 











Has turnover of personnel other than 
management been normal, rather than 














gement give appropriate attention to 





Management has the appropriate attitude relative to the 
information systems processing and payment & 
accounting functions, and is concerned about the 


reliability of financial reporting and the safeguarding of 


assets. activities, rather th | 


on is decentralized, does 
“sign off” on report 

















Are valuable assets, including intellectual 

d information, protected from 
cess or use? 

Do senior managers frequently visit projects or 

divisional operations? 

Are project or divisional management meetings 


held frequently? 
Is there a mechanism available to remotly 


access overall project progress? 








There is frequent interaction between senior management 
and operating management, particularly when operating 


from geographically remote locations-. 


























Management has a positive attitude and takes appropriate Does management avoid excessive focus on 


actions toward financial / Government / Donor reporting, 


O 








Description of 
SMTA control 





Control Considerations 
Are personnel restricted from submitting 
inappropriate reports to meet targets (e.g., 
salespeople submitting orders to meet targets, 
knowing customers will return goods in the next 
period)? 

Have managers’ actions been proper, with no 
apparent signs of inappropriate practices? 


Control Objectives 


olicies, whether accounting principles have been 


tisapplied, important financial information not 
isclosed, or records manipulated or falsified). 








ctivities. 

‘he entity's organizational structure, and its ability to 
rovide the necessary information flow to manage its 
ctivities, are appropriate. 





Is the organizational structure appropriately 
centralized or decentralized, given the nature of 


the entity's operations? 
Does the structure facilitate the flow of 


information upstream, downstream and across 


all business activities? 
Are responsibilities and expectations for the 


entity's business activities communicated clearly 
to the executives in charge of those activities? 











‚ey managers' responsibilities are adequately defined, 
1anagers understand these responsibilities, and their 
nowledge and experience are adequate in light of their 
2sponsibilities. 
Are knowledge and experience of key managers 
adequate for their responsibilities? 
.eporting relationships are appropriate within the entity. I 


Are established reporting relationships (whether 
formal or informal, direct or matrix) effective, 
and do they provide managers information 
appropriate to their responsibilities and 








Do the executives responsible for business 
activities have access to communication 

channels to senior operating management? 
Does management periodically evaluate the 


entity's organizational structure in light of 


changes in the business or industry? 
Do managers and supervisors have sufficient 


time to carry out their responsibilities 





fodifications to the organizational structure are made 
ppropriately based on changed conditions. 








ufficient numbers of employees exist, particularly in 
1anagement and supervisory capacities. 





Do managers and supervisors work normal, 
rather than excessive amounts of overtime, thus 
fulfilling a manageable level of responsibilities 
for one employee? 
\ssignment of Authority and Responsibility - The assignment of responsibilities, delegation of authority and establishment of 
elated policies provide a basis for accountability and control. It involves the degree to which individuals and teams are 
ncouraged to use initiative in addressing issues and resolving problems as well as limits of their authority. A critical 
hallenge is to delegate only to the extent required to achieve objectives 


tesponsibility and delegation of authority are assigned to 
leal with organizational goals and objectives, operating 
unctions and regulatory requirements, including 








Is authority and responsibility assigned to 
employees throughout the entity? 

Are the number of people with requisite skill 
levels relative to the size of the entity, nature 
and complexity of activities and systems 
Do job descriptions contain specific references 
to control-related responsibilities? 











nformation systems and authorization for changes. 








` 


zontrol-related standards and procedures, including 
mployee job descriptions are appropriate. 
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4 Control Objectives 


legated authority in relation to assigned 
ponsibilities is appropriate. 


authority needed to "get the job done" and the 
involvement of senior personnel where needed? 
Are employees at the “right” level of 
empowerment to correct problems or implement 
improvements, and is empowerment 





Description of 
SMTA control 





Control Considerations 
Is there is an appropriate balance between 








accompanied by appropriate levels of 
competence and clear boundaries of authority? 
Is responsibility for information systems 

processing and program development clear? 





iman Resources Policies and Practices - Human resource policies and practices relate to hiring, training, evaluating, 
mpensating and terminating employees. Management's expectations of performance and behavior are communicated 





rough training and performance review. 


licies and procedures for hiring, training, promoting 
d compensating employees are in place. 


sople are made aware of their responsibilities and 
:pectations for them. 


emedial action taken in response to departures from 
yproved policies and procedures are appropriate. 


ersonnel policies address adherence to appropriate 
thical and moral standards. 

mployee candidate background checks, particularly 
rith regard to prior actions or activities considered to be 
nacceptable by the entity, are performed. 


‘mployee retention, promotion criteria, information- 
athering techniques (e.g., performance evaluations) and 
elation to the code of conduct or other behavioral 
uidelines are adequate. 











trustworthy people necessary to support an 
effective internal control system? 





When formal documentation of policies and 
procedures does not exist, does management 
communicate expectations about the type of 


people to be hired or participate directly in the 





Are there policies and procedures for hiring, 
training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.g., 
accounting, sales)? 

Do existing personnel policies and procedures 
result in recruiting or developing competent and 


Are new employees made aware of their 
responsibilities and management's expectations 





Do supervisory personnel meet periodically 
with employees to review job performance and 
suggestions for improvement? 


| management's response to failures to carry 


out assigned responsibilities appropriate? 





Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





Do employees understand that ineffective 
performance will result in remedial 


Are integrity and ethical values considered as 
criteria in performance appraisals? 
Are candidates with frequent job changes or 
gaps in employment history subjected to 
particularly close scrutiny? 
Do hiring policies require investigation for a 
criminal record? 
Are promotion and salary increase criteria 
detailed clearly so that individuals know what 
management expects prior to promotions or 
advancement? 
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Description of 
SMTA control 





Control Considerations 
Does criteria reflect adherence to behavioral 


Control Objectives 









isk Assessment en 
ıtity-Wide Objectives - Entity-wide objectives, required to have effective control, include broad statements 
tity desires to achieve, and are supported by related strategic plans. Objective setting is a precondition to risk assessment. 
aere first must be objectives before management can identify risks to their achievement and take necessary actions to 


anage the risks. 

atity-wide objectives provide sufficiently broad 
atements and guidance on what the entity desires to 
shieve, yet are specific enough to relate directly to this 


ntity. 


or what an 





Has management established entity-wide 
objectives? 
Are the entity wide objectives different than 
generic objectives that could apply to any entity 
(e.g., generate sufficient cash flow to service 
debt, or produce a reasonable return on 


nvestment)? 


intity-wide objectives are effectively communicated to Is information on the entity-wide objectives 
‚mployees and board of directors/members and disseminated to employees and the board of 














yeriodically undated. 

managers, other employees and the board 
g that communication to employees is 
I 






signifyin 















fective 
Business/Operational strategies are consistent with entity- Does the strategic plan support the entity-wide et 
wide objectives and regularly reviewed. 
resource allocation priorities? |] 
Is the strategic plan periodically reviewed and 
updated and approved by the entity's board of 
directors/members? 








Business/Operational plans and budgets are consistent 
with entity-wide objectives, strategic plans and current 
conditions. 








2 

le plans and budgets at an appropriate level of Wa 
detail for each management level? 

ty-Level Objectives - Activity-level objectives flow from and are linked with the entity-wide objectives and strategies. 


Activity-level objectives are frequently stated as goals with specific targets and deadlines. Objectives are established for each 
significant activity, and those activity-level objectives are consistent with each other. 





















Have activity-level objectives been established 
for all significant business processes? 

Is there adequate linkage between activity-level 
objectives, entity-wide objectives and strategic 


Activity-level objectives have been established; there is 
linkage between activity-level objective and entity-wide 
objectives; and strategic plans and objectives are 
consistent. 











to time for continued relevance? 

Are they complementary and reinforcing within 
activities? 
Are they complementary an 
between activities? 
Are objectives established for key activities in 


the flows of goods and services and support 
activities? 


Activity-level objectives are consistent with each other. 





d reinforcing 











Activity-level objectives are relevant to all significant 


business processes. 
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Description of 
Control Considerations SMTA control 


Are activity level objectives consistent with past 
practices and performances or with industry or 
functional metrics, and have the reasons for 
varia een considered? 





Control Objectives 








E Q 
ectives established for each significant 


tivity-level objectives are specific, measurable and are ives include assessment criteria that 
‚nitored. Adequate resources are available to achieve are specific, measurable, achievable, realistic 
> objectives. 
d on a regular basis? | 

















Are current resources sufficient to achieve 
objectives or has management identified the 
resources needed? 


ibjectives that are important (critical success factors) to Has management identified what must go right, 
chievement of entity-wide objectives are identified. or where failure must be avoided, for entity- 
i ¡ectives to be achieved? 






















Are capital spending and expense budgets based 
gement's analysis of the relative 
e of objectives? 














All appropriate levels of management are involved in ers participate in establishing activity 

objective setting and demonstrate commitment to the ;ectives for which they are responsible? 

objectives. 
Do managers support the objectives, and not ee 
have "hidden agendas? 














Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
level and the activity level. The risk-assessment process should consider external and internal factors that could impact 
achievement of the objectives, should analyze the risks, and provide a basis for managing them. 

















Mechanisms are in place to identify risks arising from Are there adequate mechanisms in place to 
external sources. dentify external risks that prevent the 
ievement of business objectives? External 














Supply sources 


Technology changes 








Creditor's demands 





Competitor's actions 


Economic conditions 





Political conditions 





Regulation 
— Natural events 
Are there adequate mechanisms in place to 
identify internal risks that prevent the 

pusiness objectives? Internal 


ources may include: 
Human resources (8.8. 








Mechanisms are in place to identify risks arising from 
internal sources. 








Control Objectives 


‘he risk analysis process is thorough and includes 
stimating the significance ofrisks, assessing the 
ikelihood of their occurring and identifying steps to 
aitigate them. 


[he risk assessment process is adequately monitored by 
senior management and/or the board. 


risks for each entity/projec/directorate and 
significant activity-level objective? 

Are risks analyzed to determine their 
significance and rate the likelihood and 
consequence of their occurring? 








Description of 
SMTA control 





Control Considerations 
Information technology 


Research & Development 





Marketing/Communicaton 
Are procedures performed to identify significant 












Are risks analyzed to determine what steps are 
required to mitigate the risk, if appropriate? 





Does the board or audit committee oversee and 
monitor the risk assessment program and ensure 
appropriate action is taken for significant risks? 


Managing Change — Economic, industry and regulatory environments change and entities? activities evolve. Mechanisms are 


needed to identify and react to changing conditions. 


Mechanisms exist to anticipate, identify and react to 
routine events or activities that affect achievement of 
entity or activity-level objectives. 


Mechanisms exist to identify and react to changes that 
can have a more dramatic and pervasive effect on the 


entity, and may demand the attention of top management. 





The accounting department has established processes to 
(1) identify significant changes in International Public 
Sector Accounting Standards (IPSAS) / Government 
Financial Rules (GFR) promulgated by relevant 
authoritative bodies (Controller General of Accounts), 
(2) notify the accounting department of changes in the 
entity’s business practices that may affect the method or 
the process of recording transactions, and (3) identify 
significant changes in internal control or the operating 
environment, including changes as a result of new or 
changing regulations 


react to routine events or activities that affect 
achievement of entity or activity-level 

Are risks and opportunities related to the 
changes addressed at sufficiently high levels in 


IPSAS/GFR Compliance — Entity accounting practices should anenitately reflect current IPSAS/GF 





Do mechanisms exist to anticipate, identify and 








the organization so their full implications are 
identified, and appropriate action plans 






changes that may impact the organization's 
mission and strategy and therefore affect entity- 
wide and activity-level objectives (e.g., rapid 
growth, new ee business acquisition, 






R and other regulatory 


Does the accounting department have a process 
in place to identify and address changes in 

IPSAS/GER, as well as for approving changes 
in accounting made to address such changes? 









Does management work with SMTA’s 
independent auditors or other third party experts 
to determine if they are addressing complex 
changes in IPSAS/GFR appropriately? 








Does the board of directors/members and/or the 
audit committee review and approve significant 
changes in the entity’s accounting practices? 
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Control Objectives 





Control Activities 


Policies and Procedures - Policies establish what should 





be done and procedures explain how it is carried out. 
Policies may be communicated orally or written. 
Regardless of method they must be implemented 
conscientiously and consistently. 





\ 








Description of 
SMTA control 






Control Considerations 


Are there processes to ensure the accounting 
department is made aware of changes in the 
operating environment so they can review the 
changes and determine what, if any, effect 
change may have on the entity’s accounting 
practices? 

Are there channels of communication between 
the accounting department and/or individual(s) 
in charge of monitoring regulatory rules so the 
accounting department is aware of regulatory 
changes that could affect the entity’s accounting 
practices? 









Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 
determine whether such transactions are 
appropriately accounted for and disclosed? 
Evaluate to what degree the DFA and Controller 
periodically review and approve the accounting 
practices as being in accordance with 
IPSAS/GFR and meeting the needs of the issuer. 
Does the DFA or Controller review and assess 
the ability and expertise of accounting personnel 
at each of its subsidiaries to properly report 
relevant information for disclosure purposes? 









Are there controls in place to ensure relevant 
information is captured at the lowest level to 
ensure proper reporting at the consolidated 












Are there policies and procedures in place to 
ensure the preparation of the statement of cash 
flows is in accordance with applicable 

frameworks? 





de is 





Are there policies and procedures (informal or 
documented) for generation of accounting 

transactions and financial statements and over 
developing and modifying accounting systems 












Are accounting and closing practices followed 


consistently at interim dates (e.g. monthly, 





entries? 
Is documentation for transactions timely and 
appropriate? 

Are policies and procedures reviewed 
periodically to determine continued 
appropriateness? 
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Description of 


Control Objectives SMTA control 






Does ownership of policies and procedures 


reside with the appropriate levels of 


idgetary Controls - Management has clear budget, em exist and is it 
afit, and other financial and operating goals. These a ensive in relation to 
als are clearly written and communicated throughout i ? 
2 entity, and are actively monitored and variances priately review key wa 
Idressed. gularly and identify 
communicated and discussed w 
directors/members and/or audit committee on a 
quarterly basis? 
Do financial statements and management reports 











investigated and is 
aken? 








ubmitted by various reporting units include 


ical comments and anal sis? 
a ; f 


different people to reduce the risk of fraud or 





inappropriate actions. Note: Specific areas o 
segregation of duties will be covered within the business 


Safeguarding of Assets - Periodic comparisons are made gement established procedures to 
of amounts recorded in the accounting system with orized access to, or destruction 
eto of, documents, records, and assets? 





Segregation of Duties — Duties are logically divided or 
segregated (whether manually or through appropriate set 
1p of information technology applications) among 















physical assets. Adequate safeguards are in plac 
prevent unauthorized access to or destruction of Are significant or recurring adjustments 
investigated to determine the reason for the 


documents, records, and assets. Note: Specific areas o 
j ts will be covered within the adjustment and are appropriate actions taken to 
address the root causes for the adjustments? 





















Shareholder Matters — Shareholder matters should be 


oud 








properly authorized and recorded. 





Stockholder records, stock issuance and 


treasury stock transactions? 
Communications with stockholders? 









accurately maintained? 
Are transactions for the following valid, 
authorized, complete, accurate and processed on 





> 








Stock buy 
Information and Communication ae Š 
Information - Information is identified, captured, process information sy 
includes industry, economic and regulatory information obtained from external sources, as well as internally generated 


n enables people to carry out their responsibilities. 














m O Pe 
stems. Relevant inform 


WALUR ORES 















information. This informatio 
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Description of 
Control Considerations SMTA control 


e Doprocedures require that management 
review control processes to ensure that the 





Control Objectives 
ternal and internal information is obtained, and 
wides management with necessary reports on the 
ity's performance relative to established entity-wide 
ectives, 





Are procedures i in place to monitor when 


controls are overridden and to determine if the 


° = Solar in place to assure 
that corrective action is taken on a timely basis 


Is internally generated information critical 
to achievement of the a s objectives 


Do managers r receive information that 

enables them to identify what action needs to be 
aken? 

e Is information provided at the right level o 
detail for different levels of management? 
e _ Is information summarized appropriately, 
providing pertinent information while 
permitting closer inspection of details as needed 


ormation is provided to the right people in sufficient 
ail and on time to enable them to carry out their 
ponsibilities efficiently and effectively to achieve 
ivity-level objectives. 








Is information available on a timely basis 
to allow effective monitoring of events and 
activities - internal and external - and prompt 
reaction to economic and business factors and 





ormation systems provide management with necessary 
orts on the entity’s performance relative to established 
ectives. 


Is the entity able to prepare accurate and 


timely financial reports, including interim 


Is there a high level of user satisfaction 
with information .. processing, including 


ernal controls over significant applications or 
ısactions that are executed/processed by service 
'anizations are effective. 


° Has the internal control environment at the 
service organization been documented and 


tested by an independent third party for the 


e Does the timing of the documentation and 
testing performed by the independent third party 
cover a significant portion of the year? 





mmunication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
iling with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 
1 up an organization and with parties external to the organization. 










ıployees' duties and control responsibilities are 
sctively communicated. 





e Are employees’ roles and responsibilities 
regarding internal control and risk assessment 
communicated clearly and effectively by 





Do a pansa know the objectives of their 
own activity and how their duties contribute to 





annels of communication for people to report 
pected improprieties have been established. 


Is there a way to communicate upstream 
through someone other than a direct superior, 
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Description of 


Control Objectives £ Control Considerations SMTA control 


Is anonymity permitted? 
Are persons who report suspected 
ieti ided feedback, and do they 
e Are all reported potential improprieties 
reviewed, investigated and resolved in a timely 
nagement is receptive to employee suggestions of 
rs to enhance productivity, quality or other similar 
yrovements? 


mmunication across the organization is effective (for 
imple, between procurement and production activities) 
I the completeness and timeliness of information is 











Are realistic mechanisms in place for 
employees to provide recommendations for 






+ Does management acknowledge good 
proc suggestions by providing cash awards 


ficient to enable people to discharge their 


ponsibilities effectively. 
annels with customers, suppliers and other external 
ties for communicating information on changing needs 
: open and effective. 
° Is information reported upstream as 


ıtside parties are made aware of the entity's ethical e Are important communications to outside 
indards. parties delivered by management level 
commensurate with the nature and importance 
of the message (e.g., senior executive 
periodically explains in writing the entity's 
2 
Do suppliers, customers and others know 
the entity's standards and expectations regarding 


Does information on competitors' new 
products or warranties reach eig, 











Are suggestions, complaints and other 
input captured and communicated to relevant 















Are improprieties by employees of external 
parties reported to the appropriate personnel? 





yllow-up action by management resulting from 
ymmunications received from customers, vendors, 
gulators or other external parties is timely and 
ypropriate. 


e _ Are personnel receptive to reported 
problems regarding products, services or other 
matters, and are such reports investigated and 


Are errors in customer billings corrected, 
and the source of the error investigated and 






Do appropriate personnel independent of 
those involved with the original transactions 





Are appropriate actions taken and is there 


follow-up communication with the original 
es? 


Page 14 of 17 








#2 








Description of 
SMTA control 





Control Objectives Control Considerations 


mitoring E 2 
‘oing Monitoring - Ongoing monitoring occurs in the ordinary course of operations, and includes regular management 
supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal 

trol system performance. Note: Additional monitoring controls will be covered within the business process analysis sections. 


‚onnel, in carrying out their regular activities, e Are operating personnel required to “sign 
larly obtain evidence as to whether the system of 


off’ on the accuracy of their units’ financial 
statements, and are they held responsible if 
Are suppliers' complaints of unfair 


erro d a 
practices by purchasing agents recorded and 
fully investigated? 


amunications from external parties, that corroborates Are customers’ complaints recorded and 
rally generated information or indicates problems, is i i 
ctively gathered and used. 

Do regulators communicate information to 


the entity regarding compliance or other matters 
sre is periodic comparison of amounts recorded by the = 






rnal control continues to function. 















Are there periodic comparisons of 


that reflect on the functioning of the internal 
ounting system with physical assets. accounting records to physical assets? 


nagement is responsive to internal and external 
litor (or external regulator) recommendations on 
ans to strengthen internal controls. 


magement seeks feedback on whether controls operate 
ectively when conducting training seminars, planning 
sions and other meetings. 


inagement monitors actions toward financial reporting, 

luding disputes over application of accounting financial reporting, including disputes over 
atments (e.g., selection of conservative vs. liberal application of accounting treatments? 
sounting policies, whether accounting principles have 


en misapplied, important financial information not 
sclosed, or records manipulated or falsified). 





rsonnel are asked periodically to state whether they 
derstand and comply with the entity's code of conduct 
d regularly perform critical control activities. 


1e scope and extent of internal audit activities is . 
propriate. 
, Do they have access to the board of 
e Aretheir scope, responsibilities and audit 


Are signatures required to evidence 
functions, such 





directors/members or audit committee? 
plans appropriate to the organization's needs? 
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rate Evaluations - It Is useful to take a fresh look at the internal control system from time to time, 


Control Objectives 


rate LYC UU 


‚m effectiveness, the scope and frequency ofseparate evaluations will depend primarily on an assessment of risks, and 
ving monitoring procedures. 


scope, frequency and methodology of separate 


uations of 


the internal control system is adequate. 


¡e evaluation process is appropriate and the objectives 
‘the evaluation are clearly stated. 


The methodology for evaluating a system is logical and 
appropriate and interim and final deliverables are 
adequately defined. 





gement 






























Fraud — Fra 





The level of docume 
resulting from the evaluation is appropriate. 


Mechanisms exist for capturing and rep 


Follow-up actions are timely 
reviewed by management. 








ntation developed during and 





and the board. 





orting identified 
ciencies. 





are appropriate and are followed. 









and appropriate and are 








ud prevention programs are essential to 
internal controls provide better opportunities to detect 


Management has implemented formal communication 


mechanisms, internal controls, and internal or external 
oversight processes to effectively prevent or deter fraud. 












Control Considerations 


mreg 
Are the evaluations condu 















































Reportin Deficiencies - Internal control deficiencies should be reported upstream 











s 








et the right 
and deter fraud. 








° 
¡th the requisite skills? 
Are the scope, depth of coverage and 
Does such m 
questionnaire 


fficient 





Does the evaluator gain 
of the enti 
erstanding obtained 











Is the evaluat 








coordinated ffort? 


operating instructions 
e I consideration 
evaluation nrocess? 











Do mechani 


ito egulators)? 
Do mechanism 





n 
evaluation 






Are the underlying causes 0 
investigated? 


Is there follow 





A et 


= E qt Lo t pn ang TÀ 
to iv 

















ne for an effect 






Is there a positive workplace 





threatened or 12 ored? 
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Is activities? 


o 
system is supposed to work and ho 
] ork? 
e Isan analysis made, using the 
results as measured against establishe 


ion team brought to 


e sthe evaluation process manage 
executive with requisite authori 2 

e Are policy manuals, organization charts, 
and the like available? 
given to documenting the 


° sms exist for capturing and 
reporting deficiencies from both internal sources 
and external sources (e.g., customers, suppliers, 


s exist for capturing and 
encies resulting from ongoing 


° reported to the person 
directly to appro priate individuals? 

e Are specified types of deficiencies 
rted to more senior management and to the 
Is the identified transaction or event 


e interna 





of how the 


w it actually 


evaluation 
d criteria? 








9 


environment that 


minimizes employees’ sense of feeling abused, 





° gether to 
plan the evaluation process and ensure @ 


Description of 
SMTA control 


focusing directly on 














































Description of 
SMTA control 





Control Considerations 

Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 
trust? 
Does SMTA react to and deal with acts of fraud 
in a manner that sends a strong message 
throughout SMTA that helps reduce the 


Control Objectives 


















programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 






Do communications to external parties regularly 
state SMTASs position on fraudulent activity and 
the potential consequences if fraud is detected? 





Has management implemented and does it 
continuously monitor the operation of internal 
controls designed to mitigate the risk of fraud? 





Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 
appropriate influence over the financial 
reporting process? 








Management has included the identification of fraud risks 
in its entity--wide risk assessment program or has 
established a separate risk assessment program that 
considers the vulnerability of SMTA to fraudulent 
activities. 


Does management make changes to the 
processes of the organization to reduce or 
eliminate the risk of fraud? 

Does the audit committee or board of 
directors/members evaluate management's 
identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 








Does management review identified fraud risks 
with the audit committee and seek guidance 
from the audit committee as to other associated 





Do internal auditors examine and evaluate 
adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 
proactive auditing: to search for corruption, 
misappropriation of assets, and financial 
statement fraud? 

Does management perform fraud brainstorming 
sessions? 

Have critical controls been identified to address 
identified fraud risks? 


Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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No. FMS/CG/YLC/SMTA/2021 j 125% 


GOVERNMENT OF SINDH vA J 
Karachi Mobility Project 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT DEPARTMENT 


Karachi Dated: 1* July 2021 


To, 
1. Director HR & Administration, 2. Director F & A, SMTA 
SMTA 
3. Director Infrastructure & Projects, 4. Procurement & Contract Management 
SMTA I Specialists , KMP-YLC 
5. Safety Health Environment Quality 6. Gender Specialist KMP-YLC 
Specialist KMP-YLC 
7. Communication Specialist KMP- 8. Social Specialist KMP-YLC 
YLC 
Subject: GOVERNANCE ASSESSMENT OF SINDH_ MASS TRANSIT 





AUTHORITY UNDER THE IBRD LOAN NO 
MOBILITY PROJEC 


8995-PK CHI 





I am directed to refer to the subject mentioned above and to say that Government 


of Sindh, through Sindh Mass Transit Authority (SMTA), Transport and Mass Transit 
Department (TMTD) is implementing Karachi Urban Mobility Project Yellow Line Corridor, 
which is funded the World Bank under IBRD Loan No. 8995-PK (Karachi Mobility Project) . 
The World Bank has now required to assess and report to the Bank over all Governance 
Structure and Internal Controls of Sindh Mass Transit Authority. 


In this regard, the World Bank has approved a questionnaire that is requested to 


be filled in by all directorates and projects under the control of SMTA. The same questionnaire 
is attached for your office to be filled in and sent back to the Project Director Karachi Mobility 
Project — Yellow Line BRTs by the close of business day on 16-07-2021 by surface mail / hard 
copy as well as on email to fms.ylc.kmp@gmail.com and pd.kmp.y! (Qgm il.com. The same 


questionnaire will also be emailed to you. 








PS to the Secretary Transport and Mass Transit Department, Government of Sindh 
PS to the Managing Director Sindh Mass Transit Authority, TMTD, Government of Sindh 
PS to the Project Director, Karachi Mobility Project 





Plot No. D-43 & D-43/1, Shahra-e-Ghalib, Block -2, Clifton, Karachi-Ph # 021-99332207-8 
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ENTITY LEVEL CONTROLS 






Description of 






Control Objectives 


ontrol Environment A a | 
tegritv. ethical values, and behavior of key executives - The effectiveness of controls depends on the integrity and ethical 
lues of the people who create and administer them. The control environment is influenced by how management 
mmunicates ethical standards and reinforces them in practice - through policies and codes of conduct, and by example. 


nsiderations 


— ss 
SER TER 





+z DE 









Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, or 
expected standards of ethical or moral behavior 
and have they been implemented and 
communicated effectively? 


3des of conduct and other policies regarding acceptable 
ısiness practices, conflicts of interest, or expected 
andards of ethical or moral behavior exist and have 

sen implemented. 








Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and 

insider trading? 








Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 


Ifa written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? 


Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 
do ifthey encounter improper behavior? 












Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement any 
appropriate changes in company policies or 
business practices in a timely manner? 


Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation, 
occupational safety and health; environmental protection, 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons, 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local, HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance; communications; 





Is a register and record of complaints 
maintained regarding significant laws with 
which the entity is required to comply within its 












Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 





Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 
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Description of 
SMTA control 





Control Considerations 
Are training programs/worksnops conducted to 
ensure that employees are familiar with the 
recent changes/ammendments of laws to have 
better idea of these cheanges? 

Is commitment to integrity and ethics 
communicated effectively throughout the 
organization, both in words and deeds? 

Do employees feel peer pressure to do the right 
thing, and do they avoid cutting corners to 
increase short-term profit? 

Does management appropriately deal with signs 
that problems exist, e.g., potential defective 
products or hazardous wastes, es pecially when 
Are training programs/workshops conducted for 
employees’ moral guidance regarding 
organization policy for prohibiting employees 
from accepting gifts from vendors? 


Management conducts business with employees, Are everyday dealings with customers, 
suppliers, customers, investors, creditors, insurers, suppliers, employees, and other parties based on 


Control Objectives 
nstruction; medical, rea: estate; transportation 





‘one at the top,” including explicit moral guidance 
‚out what is right and wrong, has been established and 
‚mmunicated throughout the organization. 



















sompetitors, and auditors, etc. on a high ethical plane and honesty and fairness (e.8., customer's over- 
insists that others do so. payment or supplier's under billing is not 
ignored; no efforts are made to find a way to 
reject an employee’s legitimate claim for 
benefits; and reports to lenders are complete, 


2 ate, and not misleading)? 
oes management respond appropriately to 


Remedial action taken in response to departures from 

approved policies and procedures is appropriate and is violations of behavioral standards? 
communicated or otherwise becomes known throughout Are disciplinary actions taken as a result of 
the organization. violations widely communicated in the entity? 








Do employees believe that, if caught violating 
behavioral standards, there will be 
repercussions? 


Has management provided guidance on the 
situations and frequency with which 
intervention may be needed? 

Is management intervention documented and 









Management’s intervention of established controls is 


appropriate and well controlled. 








explained appropriately? 
Are deviations from established policies 





investigated and documented? 


The achievement of performance targets is reasonable - Is there an absence of extreme incentives or 
particularly for short-term results - and compensation is temptations that can unnecessarily and unfairly 
not overly dependent upon their achievement. test people's adherence to ethical values? 








Are compensation and promotions based on 
factors other than solely the achievement of 


short term performance targ ets? 


Are controls in place to reduce temptations that 
might otherwise exist? 
e - Management must specify the level of competence needed for particular jobs, and translate the 


desired level of competence into requisite knowledge and skills. 
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Description of 
SMTA control 





Control Objectives m Control Considerations 


>rmal or Informal job descriptions or other means of Has management analyzed, on a formal or 
fining tasks that comprise particular jobs have been informal basis, the tasks comprising particular 





tablished. jobs, considering such factors as the extent to 
which individuals must exercise judgment and 








he extent of related supers on? 
Has management adequately determined the 
knowledge and skills needed to perform 
particular jobs? 
Does evidence exist indicating that employees 
and key managers appear to have the requisite 
knowledge and skills for their job functions? 








nalyses of the knowledge and skills needed to perform 
‚bs adequately have been performed. 











Does management demonstrate a commitment 
to provide sufficient competent accounting and 
financial personnel to keep pace with the growth 
and/or complexity of the business? 


The SMTA Board or Audit Committee - The board and 
ts audit committee play an important role in setting 
the tone at the top. Qualities include the board or 
audit committee's independence from management, 


the experience and stature of its members, the extent 
of its involvement and oversight of activities, the 
degree to which difficult questions are raised and 
pursued with management, and its interaction with 






Independence from management has been achieved, such 
that necessary, even if difficult and probing, questions are 
raised. 


Does the board include independent 
directors/members with appropriate background 
and expertise, given the nature of SMTA? 





Has the independence of outside board members 
been adequately reviewed, including 
affiliations? 
Does the board constructively challenge 
management's planned decisions for strategic 
initiatives and major transactions, and probe for 
explanations of past results (e.g., budget 
ariances)? 
Does the board and/or audit committee 
represent an informed, vigilant and effective 
overseer of the financial reporting process and 
MTA’s internal controls? 
Does the board and/or audit committee give 
sufficient consideration to understanding 
management's processes for monitoring business 
risks affecting the organization? 
Does a board that consists solely of an entity’s 
officers and employees (e.g., a small 
corporation) question and scrutinize activities, 
present alternative views and take appropriate 


action if necessarv? 
Do board committees exist? 























Board committees are used, where warranted by the need 
for more in-depth or directed attention to particular 
matters. 





Are the existing committees sufficient, in 
subject matter and membership, to deal with 
important issues adequately? 
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Description of 
SMTA control 





Control Considerations 
Where an audit committee exists, is there a 
charter outlining its duties and responsibilities? 


Control Objectives 


Does the audit committee have adequate 
resources and authority to discharge its 
responsibilities? 

Do directors/members have sufficient 
knowledge, industry experience and time to 
effectively? 





Jirectors/members on the board are knowledgeable and 
xperienced. 






"financial expert"? 
Does the audit committee meet privately with 
the chief accounting officer(Director F&A) and 
internal and external auditors to discuss the 
reasonableness of the financial reporting 
process, system of internal control, significant 
comments and recommendations, and 

"one 22 

Does the audit committee review the scope of 
activities of the internal and external auditors at 
least quarterly? 


Sufficient information is provided to the board or Does the board regularly receive key 

committee members on a timely basis to allow information, such as business plans, financial 

monitoring of management's objectives and strategies, the statements, major project initiatives, significant 
Is the audit committee kept apprised of 


‘requency and timeliness with which meetings are held 
vith Dirctor (F&A) and/or accounting officers, internal 
ıuditors and external auditors are adequate. 














entity's financial position and operating results, and terms contracts or negotiations? 
accounting standards / Government Policies that 


of significant agreements. 
impact SMTA, particularly with respect to 
judgmental areas involving the use of 


¿ motions and estimates? 
Do directors/members believe they receive the 


proper information? 


Sufficient sensitive information is provided to the board Does a process exist for informing the board of 
or audit committee regarding investigations and improper significant issues? 
acts (e.g., project delays, cost over runs, travel expenses i i 












of senior officers, significant litigation, Investigations of 
regulatory agencies, defalcations, embezzlement or 
misuse of corporate assets, violations of insider trader 
rules, political payments, illegal payments). 









The board and/or audit committee provides oversight in 
determining the compensation of executive officers and 
internal auditor, and the appointment and termination of 
those individuals. 


oes the compensation committee approve all 


D 

management incentive plans tied to 
performance? 

Does the compensation committee, in joint 
consultation with the audit committee, deal with 





compensation and retention issues regarding the 
internal auditor? 
The board and/or audit committee has a significant role Is the board and/or audit committee involved 


in establishing the appropriate "tone at the top." 






"tone at the top"? 
Does the board take steps to ensure an 
appropriate "tone"? 
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Description of 


Control Considerations SMTA control 


BE the board specifically address 


Control Objectives 





management's adherence to the code of 
conduct? 


ie board or audit committee takes appropriate actions Has the board or audit committee issued 
a result of its findings, including special investigations, directives to management detailing specific 





needed. actions to be taken? 
Does the board or audit committee oversee and 


take prompt action to follow-up its findings? 








lanagement's Philosophy And Operating Style - Management's attitudes toward controls are reflected in how it accepts and 
ıanages business risks. Management may be conservative or ag sressive in selecting accounting principles and in develop ing 


fanagement evaluates business risks prior to accepting Does management move cautiously, proceeding 
10se risks (e.g., high risk ventures, extremely only after carefully analyzing the risks and 





onservative ventures). potential benefits of a venture? 
Are there appropriate policies for such matters 

as accepting new business and conflicts of 

interest which are adequately communicated 

throughout the organization? 

Has turnover of management or supervisory 

personnel been normal, rather than excessive? Ll 
Have key personnel left only after giving proper 

notice, rather than quitting unexpectedly or on 


short notice? 

Has turnover of personnel other than 
management been normal, rather than 
excessive? 

Does management give appropriate attention to o 
Ts the accounting function viewed as a vehicle 
for exercising control over the entity's various 
activities, rather than as a necessary group of 
"score keepers"? 

Does the selection of accounting and 
government principles used in financial 
statements result in a fair presentation, as 
opposed to always resulting in the highest 

If the accounting i W 
operating management “sign off” on report 
results? 

Do business unit accounting personnel also have 
responsibility to central financial officers? 

Are valuable assets, including intellectual 
property and information, protected from 
unauthorized access or use? 


There is frequent interaction between senior management Do senior managers frequently visit projects or po] 
and operating management, particularly when operating divisional operations? 





Management monitors personnel turnover in key 
functions (e.g., operations, accounting, data processing, 
Internal audit). 








Management has the appropriate attitude relative to the 
information systems processing and payment & 
accounting functions, and is concerned about the 
reliability of financial reporting and the safeguarding of 
assets. 














from geographically remote locations-. Are project or divisional management meetings mu 
held frequently? 
Ts there a mechanism available to remotly Wi 








access overall project progress? 





Management has a positive attitude and takes appropriate 
actions toward financial / Government / Donor reporting, 


Does management avoid excessive focus on 
short-term reported results? 
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Description of 
SMTA control 





Control Considerations 

Are personnel restricted from submitting 
inappropriate reports to meet targets (e.g., 
salespeople submitting orders to meet targets, 
knowing customers will return goods in the next 
period)? 
Have managers’ actions been proper, with no 


s of inappropriate practices? 
s a company to carr out its activities. It 


blishes lines of authority and 
e. its goals and the nature of its 


Control Objectives | 


uding disputes over application of accounting 
tments (e.g., selection of conservative vs. liberal 
cies, whether accounting principles have been 
applied, important financial information not 
slosed, or records manipulated or falsified). 









ional Structure - The or anizational structure is the framework that allow. 
s of SMTA fit together defines key areas of responsibilit and esta 
iateness of an entit 's organizational structure depends on its siz 


tivities. 
e entity's organizational structure, and its ability to Is the organizational structure appropriately 
centralized or decentralized, given the nature of 
















ovide the necessary information flow to manage its 
tivities, are appropriate. the entity's operations? 





information upstream, 


all business activities? 
Are responsibilities and expectations for the 


entity's business activities communicated clearly 
to the executives in charge of those activities? 









ey managers' responsibilities are adequately defined, 
ianagers understand these responsibilities, and their 
nowledge and experience are adequate in light of their 
ssponsibilities. 









Are knowledge and experience ofkey managers 


adequate for their resp onsibilities? 
Are established reporting relationships (whether 
formal or informal, direct or matrix) effective, 
and do they provide managers information 
appropriate to their responsibilities and 
Do the executives responsible for business a 
activities have access to communication 
senior operating manag ement? 


Modifications to the organizational structure are made Me management periodically evaluate the 








teporting relationships are appropriate within the entity. 














appropriately based on changed conditions. in light of 
changes in the busines 2 


Sufficient numbers of employees exist, particularly in Do managers and supervisors have sufficient 
management and supervisory capacities. time to carry out their responsibilities 


Do managers and supervisors work normal, 

rather than excessive amounts of overtime, thus 

fulfilling a manageable level of responsibilities 
ee? 


shment of 











- The assignment of responsibilities, delegation of authority and establi 
ty and control. It involves the degree to which individuals and teams are 
d resolving problems as well as limits of their authority. A critical 





Assignment of Authority and Res onsibilit 
related policies provide a basis for accountabili 
encouraged to use initiative in addressing issues an 
challenge is to delegate only to the extent required to achieve objectives 


Is authority and responsibility assigned to 
employees throughout the entity? 
Are the number of people with requisite skill 
levels relative to the size of the entity, nature 
and complexi ctivities and systems 














Responsibility and delegation of authority are assigned to 
deal with organizational goals and objectives, operating 
functions and regulatory requirements, including 
information systems and authorization for changes. 








ofa 
Do job descriptions contain specific references 
to control-related resp onsibilities? 








Control-related standards and procedures, including 
criptions are appropriate. 
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Description of 


Control Objectives u Control Considerations SMTA control 


legated authority in relation to assigned Is there is an appropriate balance between 

;ponsibilities is appropriate. authority needed to "get the job done" and the 
involvement of senior personnel where needed? 
Are employees at the “right” level of 


empowerment to correct problems or implement 
improvements, and is empowerment 
accompanied by appropriate levels of 
competence and clear boundaries of authority? 
Is responsibility for information systems 
processing and program development clear? 





[uman Resources Policies and Practices - Human resource policies and practices relate to 


ompensating and terminating employees. Management's expectations of performance and behavior are communicated 
hrough training and performance review. 


'olicies and procedures for hiring, training, promoting Are there policies and procedures for hiring, 

nd compensating employees are in place. training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.g., 
a l ales)? 
Do existing personnel policies and procedures 
result in recruiting or developing competent and 
trustworthy people necessary to support an 












effective internal control system? 








When formal documentation of policies and 
procedures does not exist, does management 
communicate expectations about the type of 
people to be hired or participate directly in the 


hiring process? 


People are made aware of their responsibilities and Are new employees made aware of their 
expectations for them. responsibilities and management's expectations 








of them? 

Do supervisory personnel meet periodically 
with employees to review job performance and 
suggestions for improvement? 

Is management's response to failures to carry 
out assigned responsibilities appropriate? 






Remedial action taken in response to departures from 
approved policies and procedures are appropriate. 








Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





Do employees understand that ineffective 
performance will result in remedial 
consequences? 

Are integrity and ethical values considered as 
criteria in performance appraisals? 

Are candidates with frequent job changes or 
gaps in employment history subjected to 
varticularly close scrutiny? 

Do hiring policies require investigation for a 
criminal record? 

Are promotion and salary increase criteria 
detailed clearly so that individuals know what 
management expects prior to promotions or 
advancement? 





Personnel policies address adherence to appropriate 
ethical and moral standards. 
Employee candidate background checks, particularly 
with regard to prior actions or activities considered to be 
unacceptable by the entity, are performed. 











Employee retention, promotion criteria, information- 
gathering techniques (e.8., performance evaluations) and 
relation to the code of conduct or other behavioral 
guidelines are adequate. 
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Control Objectives 


isk Assessment 
tit 





anage the risks. 


itity-wide objectives provide sufficiently broad 
stements and guidance on what the entity desires to 
hieve, yet are specific enough to relate directly to this Are 











itity. 

















ntity-wide objectives are effectively communicated to I 
mployees and board of directors/members and 


eriodically undated. 

















3usiness/Operational strategies are consistent with entity- 
wide objectives and regularly reviewed. 

















conditions. 











Activity-Level Objectives 











Activity-level objectives have been established; there is 
linkage between activity-level objective and entity-wide 
objectives; and strategic plans and objectives are 
consistent. 











Activity-level objectives are consistent with each other. 








Activity-level objectives are relevant to 
business processes. 


all significant 








nvesu 
s information o 
disseminated to em 


signifyi 


Control Considerations 
Does criteria reflect adherence to behavioral 
standards? 





-Wide Objectives - Entity-wide objectives, required to have effective control, inc 
tity desires to achieve, and are supported by related strategic plans. Objective setting isa 
ere first must be objectives before management can identify risks to their achievement and 





the entity 


generic objecti 
(e.g., generate suffic 
debt, or produce a reasonable return on 





Does management obtain 
managers, other employees and the board 
g that communicat 


ctive? 





and current conditions 
Are plans and budgets 


detail for each management level? 

- Activity-level objectives flow from and are linked with the entity-wi 
Activity-level objectives are frequently stated as goals with specific targets and deadlines. Objectives a 
th each other. 


Business/Operational plans and budgets are consistent 
with entity-wide objectives, strategic plans and current budgets reflect the entity's histor 


significant activity, and those activity-level objectives are consistent wi 


Have activity- 
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lude broad statements or what an 
precondition to risk assessment. 
take necessary actions to 





wide objectives different than 
ves that could apply to any entity 
ient cash flow to service 





n the entity-wide objectives 
ployees and the board of 


feedback from key 


ion to employees is 





ess high level 


ly reviewed and 


ical experience 
at an appropriate level of 


de objectives and strategies. 
re established for each 


level objectives been established 
for all significant business processes? 

Is there adequate linkage between activity-level 
objectives, entity-wide objectives and strategic 


plans? 
Are activity level objectives reviewed from time 
for continued relevance? 

Are they complementary and reinforc 
activities? 
Are they complementary an 
between activities? 


Are objective 





d reinforcing 





s established for key activities in 
the flows of goods and services and support 


activities? 





Description of 
SMTA control 















Description of 


Control Objectives | Control Considerations SMTA control 


Are activity level objectives consistent with past 
practices and performances or with industry or 
functional metrics, and have the reasons for 





variances been considered? 
Are objectives established fo 





r each significant 





activity? 
Do objectives include assessment criteria that 


are specific, measurable, achievable, realistic 


and time based? 
Are objectives monitored on a regular basis? 





stivity-level objectives are specific, measurable and are 
ynitored. Adequate resources are available to achieve 
2 objectives. 











Are current resources sufficient to achieve 
objectives or has management identified the 


ibjectives that are important (critical success factors) to i i 
chievement of entity-wide objectives are identified. 
Are capital spending an 
on management's analysis of the relative 
importance of objectives? 
Do the objectives serving as critical success 











factors provide a basis for particular 
management focus? 


All appropriate levels of management are involved in Do managers participate in establishing activity 
objective setting and demonstrate commitment to the objectives for which they are responsible? 

















objectives. 
procedures exist to resolve disagreements? 


Do managers support the objectives, and not 
have "hidden agendas? 
Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
level and the activity level. The risk-assessment process should consider external and internal factors that could impact 

achievement of the objectives, should analyze the risks, and provide a basis for managing them. 































Are there adequate mechanisms in place to 
identify external risks that prevent the 

achievement of business objectives? External 
ources may include: 
Supply sources 


Mechanisms are in place to identify risks arising from 
external sources. 





Technology changes 
Creditor's demands 





Competitor's actions 
Economic conditions 
conditions 





= Regulation 
Natural events 





Mechanisms are in place to identify risks arising from 


Are there adequate mechanisms in place to 
internal sources. identify internal risks that prevent the 
achievement of business objectives? Internal 
ources may include: 


Human resources (e.8., retention ofkey 


O 





Control Objectives 


e risk analysis process is thorough and includes 
imating the significance of risks, assessing the 
-elihood of their occurring and identifying steps to 
itigate them. 


‘he risk assessment process is adequately monitored by 
enior management and/or the board. 


Vianaging Change — Economic, industry an 
reeded to identify and react to changing conditions. 


Vechanisms exist to anticipate, identify and react to 
routine events or activities that affect achievement of 


entity or activity-level objectives. 









Mechanisms exist to identify and react to changes that 
can have a more dramatic and pervasive effect on the 
entity, and may demand the attention of top management. 


The accounting department has established processes to 
(1) identify si gnificant changes in International Public 
Sector Accounting Standards (IPSAS) / Government 
Financial Rules (GFR) promulgated by relevant 
authoritative bodies (Controller General of Accounts), 
(2) notify the accounting department of changes in the 
entity’s business practices that may affect the method or 
the process of recording transactions, and (3) identify 
significant changes in internal control or the operating 
environment, including changes as a result of new or 
changing regulations 


Control Considerations 
risks for each entity/projec/directorate and 
significant activity-level objective? 

Are risks analyzed to d 

required to mitigate the risk, if appropriate? 
Does the board or audit committee oversee and 
monitor the risk assessment program and ensure 


d regulatory environments chan 


Description of 
SMTA control 


Information technology 
Sales/Ticketing 
Production 
Research & Development 
Marketing/Communicaton 
e procedures performed to identify significant 


appropriate action is taken for significant risks? 


ge and entities” activities evolve. Mechanisms are 











Do mechanisms exist to anticipate, identify and 
react to routine events or activities that affect 
achievement of entity or activity-level 
Are risks and opportunities related to the 
changes addressed at sufficiently high levels in 
the organization so their full implications are 
identified, and appropriate action plans 















Are mechanisms in place to identify and react to 
changes that may impact the organization's 
mission and strategy and therefore affect entity- 
wide and activity-level objectives (e.g., rapid 
growth, new products, business acquisition, 


















Does the accounting department have a process 
in place to identify and address changes in 

IPSAS/GFR, as well as for approving changes 
in accounting made to address such changes? 





Does management work with SMTA’s 
independent auditors or other third party experts 
to determine if they are addressing complex 
changes in IPSAS/GFR appropriately? 





Does the board of directors/members and/or the 
audit committee review and approve significant 
changes in the entity’s accounting practices? 
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Control Objectives 


Control Activities 


Policies and Procedures - Policies establish what should 





be done and procedures explain how it is carried out. 
Policies may be communicated orally or written. 
Regardless of method they must be implemented 
conscientiously and consistently. 
















Description of 
SMTA control 






Control Considerations 

Are there processes to ensure the accounting 
department is made aware of changes in the 
operating environment so they can review the 
changes and determine what, if any, effect 


change may have on the entity’s accounting 
ices? 


Did 

Are there channels of communication between 
the accounting department and/or individual(s) 
in charge of monitoring regulatory rules so the 
accounting department is aware of regulatory 
changes that could affect the entity’s accounting 
practices? 


Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 
determine whether such transactions are 
appropriately accounted for and disclosed? 
Evaluate to what degree the DFA and Controller 
periodically review and approve the accounting 
practices as being in accordance with 
IPSAS/GFR and meeting the needs of the issuer. 


Does the DFA or Controller review and assess 
the ability and expertise of accounting personnel 
at each of its subsidiaries to properly report 
relevant information for disclosure purposes? 


Are there controls in place to ensure relevant 
information is captured at the lowest level to 
ensure proper reporting at the consolidated 






























Are there policies and procedures in place to 
ensure the preparation of the statement of cash 
flows is in accordance with applicable 
frameworks? 






Are there policies and procedures (informal or 
documented) for generation of accounting 
transactions and financial statements and over 


developing and modifying accounting systems 












Do appropriate levels of management review 
significant accounting estimates and support for 
unusual transactions and non-standard journal 
entries? 
Is documentati 
appropriate? 
Are policies and procedures reviewed 
periodically to determine continued 
appropriateness? 
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Description of 


Control Objectives SMTA control 


Does ownership of policies and procedures 
reside with the appropriate levels of 
management? 


idgetary Controls - Management has clear budget, Does a budgeting system exist and is it 

ofit, and other financial and operating goals. These priate and comprehensive in relation to 
vals are clearly written and communicated throughout 's structure? 

e entity, and are actively monitored and variances Does management appropriately review key 














idressed. 





ors regularly and identify 
Are variances in planned performance 
communicated and discussed with the board of 


submitted by various reporting units include 
analytical comments and analysis? 


Jegregation of Duties — Duties are logically divided or Is there appropriate segregation of incompatible 
segregated (whether manually or through appropriate set duties in general? 






yp of information technology applications) among 
different people to reduce the risk of fraud or 

inappropriate actions. Note: Specific areas o 
segregation of duties will be covered within the business 


Safeguarding of Assets - Periodic comparisons are made Has management established procedures to 
of amounts recorded in the accounting system with prevent unauthorized access to, or destruction 














physical assets. Adequate safeguards are in place to of. documents, records, and assets? 
prevent unauthorized access to or destruction of Are significant or recurring adjustments 
documents, records, and assets. Note: Specific areas o investigated to determine the reason for the 
safeguarding of assets will be covered within the adjustment and are appropriate actions taken to 
address the root causes for the adjustments? 











Do formal policies and procedures exist to 


address: 
— Stockholder records, stock issuance and 


treasury stock transactions? 

| | — Communications with stockholders? 
Are stockholder records completely and 
accurately maintained? 

Are transactions for the following valid, 
authorized, complete, accurate and processed on 
atimely basis and documented? 
Stock issuance 
Stock option issuance 
Exercise/retirement of stock options 


Stock buy-backs and treasury stock 





Shareholder Matters — Shareholder matters should be 
properly authorized and recorded. 


























tion systems. Relevant information 
as well as internally generated 


Information and Communication 
Information - Information is identified, captured, processed and reported by informa 
includes industry, economic and regulatory information obtained from external sources, 
rmation enables people to carry out their responsibilities. 












information. This info 
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Description of 


Control Objectives u Control Considerations SMTA control 


«ternal and internal information is obtained, and e Do procedures require that management 
ovides management with necessary reports on the review control processes to ensure that the 
itity's performance relative to established entity-wide A i i š 

ajectives. e Are procedures in pl 









controls are overridden and to determine ifthe 
e _ Are policies/procedures in place to assure 
that corrective action is taken on a timely basis 
ontrol exceptions occur? 

e Is internally generated information critical 


to achievement of the entity's objectives 
i 2 eported? 


nformation is provided to the right people in sufficient receive information that 

letail and on time to enable them to carry out their 

esponsibilities efficiently and effectively to achieve aken? 

ictivity-level objectives. e _ Is information provided at the right level o 
detail for different levels of mana gement? 
e Is information summarized appropriately, 
providing pertinent information while 

















permitting closer inspection of details as needed 
han i 2 a of data"? 

e Is information available on a timely basis 

to allow effective monitoring of events and 

activities - internal and external - and prompt 

reaction to economic and business factors and 














e Is the entity able to prepare accurate and 

timely financial reports, including interim 

eports? 

e  Isthereahigh level of user satisfaction 

with information systems processing, including 
eliability and timeliness of reports? 

+ Has the internal control environment at the 

service organization been documented and 

tested by an independent third party for the 

nt functions? 

Does the timing of the documentation and 

testing performed by the independent third party 

cover a significant portion of the year? 





objectives. 





Information systems provide management with necessary 
reports on the entity”s performance relative to established 











Internal controls over significant applications or 
transactions that are executed/processed by service 
organizations are effective. 








Communication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
dealing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 
and up an organization and with parties external to the organization. 















e Are employees’ roles and responsibilities 
regarding internal control and risk assessment 
communicated clearly and effectively by 
managemen 2 

e Do employees know the objectives oftheir 
own activity and how their duties contribute to 
ieving ose obie ives? 

e Is there a way to communicate upstream 
through someone other than a direct superior, 


idsman or corporate cou el? 


Employees’ duties and control responsibilities are 
effectively communicated. 








Channels of communication for people to report 
suspected improprieties have been established. 
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Description of 
SMTA control 








Control Considerations 
Is anonymity permitted? 


Control Objectives 





communication channel? 
e _ Are persons who report suspected 
ack, and do they 












Are all reported potential improprieties 
reviewed, investigated and resolved in a timely 




















[anagement is receptive to employee suggestions of e _ Are realistic mechanisms in place for 
'ays to enhance productivity, quality or other similar employees to provide recommendations for 
nprovements? improvement? 
e Does management acknowledge good 
employee suggestions by providing cash awards 
er meaningful recognition? 
Sommunication across the organization is effective (for e Do salespeople inform engineering, 
xample, between procurement and production activities) »roduction and marketing of customer needs? 
ind the completeness and timeliness of information is e Do accounts receivable personnel advise 
‚ufficient to enable people to discharge their the credit approval function of slow pa ers? 
esponsibilities effectively. + Does information on competitors' new 
i ach engineering, 
eting and sales personnel? 









Do feedback mechanisms with all pertinent 


Channels with customers, suppliers and other external 
parties for communicating information on changing needs parties exist? 
are open and effective. 


e Are suggestions, complaints and other 
Outside parties are made aware of the entity's ethical e Are important communications to outside 
standards. parties delivered by management level 
commensurate with the nature and importance 
of the message (e.g., senior executive 
iodi entity's 
Do suppliers, customers and others know 











d and communicated to relevant 
ectations regarding 






Follow-up action by management resulting from 
communications received from customers, vendors, 
regulators or other external parties is timely and 
appropriate. 


e _ Are personnel receptive to reported 
problems regarding products, services or other 
matters, and are such reports investigated and 


pon? 
e Are errors in customer billings corrected, 
and the source of the error investigated and 
ed 2 

Do appropriate personnel independent of 
those involved with the original transactions 
omplaints? 

e Are appropriate actions taken and is there 
follow-up communication with the original 
ources? 
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Description of 





Control Objectives Control Considerations SMTA control 
Tonitoring A 





ngoing Monitoring - Ongoing monitoring occurs in the ordinary course of operations, an 
id supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal 
trol system performance. Note: Additional monitoring controls will be covered within the business process analysis sections. 






‚gularly obtain evidence as to whether the system of off” on the accuracy of their units’ financial 
\ternal control continues to function. statements, and are they held responsible if 


are di avered? 


‘ommunications from external parties, that corroborates e _ Are customers’ complaints recorded and 
aternally generated information or indicates problems, is investigated for their underlying causes? 
ffectively gathered and used. e Are suppliers’ complaints of unfair 





ersonnel, in carrying out their regular activities, E Are operating personnel required to “sign 

















practices by purchasing agents recorded and 

fully investigated? 

e Do regulators communicate information to 
the entity regarding compliance or other matters 
that reflect on the functioning of the internal 












e Are controls that should have prevented or 
detected the problems reassessed? 

e Are there periodic comparisons of 
accounting records to physical assets? 

e Do executives with proper authority decide 
which of the auditors' recommendations will be 
implemented? 

e Are desired actions followed up to verify 


implementation? 
e Are relevant issues and questions raised at 
training. seminars captured? 

e Are employee suggestions communicated 
upstream and acted on as appro priate? 


+ Does management monitor actions toward 
financial reporting, including disputes over 
application of accounting treatments? 


e Are signatures required to evidence 

performance of critical control functions, such 
onciling specified amounts? 

e Are there appropriate levels of competent 

and experienced staff? 

e Is their position within the organization 


appropriate? 
° Do they have access to the board of 


directors/members or audit committee? 
+ Are their scope, responsibilities and audit 
plans appropriate to the organization's needs? 












There is periodic comparison of amounts recorded by the | | 
accounting system with ph sical assets. 

Management is responsive to internal and external 
auditor (or external regulator) recommendations on 
means to strengthen internal controls. 









Management seeks feedback on whether controls operate 
effectively when conducting training seminars, planning 
sessions and other meetings. 





Management monitors actions toward financial reporting, 
including disputes over application of accounting 
treatments (e.g., selection of conservative vs. liberal 
accounting policies, whether accounting principles have 
been misapplied, important financial information not 
disclosed, or records manipulated or falsified). 
Personnel are asked periodically to state whether they 
understand and comply with the entity's code of conduct 


and regularly perform critical control activities. 
The scope and extent of internal audit activities is 


appropriate. 
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Description of 
Control Objectives Control Considerations SMTA control 


arate Evaluations - It Is useful to take a fresh look at the internal control system from time to time, focusing directly on 
stem effectiveness, the scope and frequency of separate evaluations will depend primarily on an assessment of risks, and 


ıgoing monitoring procedures. 


1e scope, frequency and methodology of separate Are appropriate portions of the internal 
raluations of the internal control system is adequate. control system regularly evaluated? 
e Are the evaluations conducted by 











personnel with the requisite skills? 
e Are the scope, depth of coverage and 


frequency adequate? 
Does such methodology include checklists, 



















he evaluation process is appropriate and the objectives Does the evaluator gain a sufficient 

f the evaluation are clearly stated. nderstanding of the entity's activities? 
e Is an understanding obtained of how the 
system is supposed to work and how it actually 


do ork? a 
e Isan analysis made, using the evaluation 
results as measured against established criteria? 





plan the evalu 
coordinated effort? 

e _Isthe evaluation process managed by an 

executive with requisite authority? 

e Are policy manuals, organization charts, 

operating instructions and the like available? 

sideration given to documenting the 





ation process and ensure a 
adequately defined. 






The methodology for evaluating a system is logical and + Is the evaluation team brought together to 
appropriate and interim and final deliverables are 


The level of documentation developed during and 
resulting from the evaluation is appropriate. 


Reporting Deficiencies - Internal control deficiencies should be reported upstream with certain matters reported to top 


management and the board. 





+ Do mechanisms exist for capturing and 
reporting deficiencies from both internal sources 
and external sources (e.g., customers, suppliers, 















O 
+ Do mechanisms exist for capturing and 


reporting deficiencies resulting from ongoing 


monitoring or separate eva ations? 


ies reported to the person 








Mechanisms exist for capturing and reporting identified 

internal control deficiencies. 
e Are specified types of deficiencies 
reported to more senior management and to the 


Reporting protocols are appropriate and are followed. i 
e _Isthe identified transaction or event 
corrected? 


Follow-up actions are timely and appropriate and are 
reviewed by management. 
Are the underlying causes of the problem 


Fraud — Fraud prevention programs are essential to set the right tone for 
internal controls provide better opportunities to detect and deter fraud. 

Is there a positive workplace environment that 
minimizes employees! sense of feeling abused, 


threatened or ignored? 
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Management has implemented formal communication 
mechanisms, internal controls, and internal or external 
oversight processes to effectively prevent or deter fraud. 











Description of 
Control Considerations SMTA control 


Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 
trust? 
Does SMTA react to and deal with acts of fraud 
in a manner that sends a strong message 

helps reduce the 


Are there ongoing int ication 
programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 

Do communications to external parties regularly 
state SMTA's position on fraudulent activity and 
the potential consequences if fraud is detected? 


emented and does it 
continuously monitor the operation of internal 
gate the risk of fraud? 


Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 

iate i er the financial 

audit committ 

directors/members evaluate management's 
identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 


Does management review identified fraud risks 
with the audit committee and seek guidance 


from the audit committee as to other associated 


Control Objectives 










































Management has included the identification of fraud risks 
in its entity--wide risk assessment program or has 
established a separate risk assessment program that 
considers the vulnerability of SMTA to fraudulent 
activities. 






















Do internal auditors examine and evaluate 


adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 
proactive auditing: to search for corruption, 

i priation of assets, and financial 


sessi 














ons? 
Have critical controls been identified to address 
identified fraud risks? 

Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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GOVERNMENT OF SINDH 
Karachi Urban Mobility Projeet 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT 
DEPARTMENT 

No. SDS/YLC/SMTA/2021/ 001 Karachi Dated: July 26, 2021 





/ Financial Management Specialist, 
Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 
Karachi. 


GOVERNANCE ASSESSMENT OF SINDH_MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 
MOBILITY PROJECT). 


SUBJECT: 








I am in recept of your letter reference number 
FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 
and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 


to you. 
SOCIAL DEVELOPMENT SPECIALIST 
C.c to: 
1. PS to Project Director, Karachi Mobility Project. 
2. Master File. 
Enclosure: 


1. Filled-in Questionnaire 








House 4 D-43/1, Block 2 Clifton, Karachi, 75600 Tel: 021 99333208 Ext.30 Email: sds.kmp.yle@gmail.com 


ENTITY LEVEL CONTROLS 








Description of 
ontrol 





Control Objectives Control Considerat 


= ee 


»ntrol Environment Be 


eority, ethical values, and behavior of key executives - The effectiveness of 
ues of the people who create and administer them. The control environment is influenced by how management 
nmunicates ethical standards and reinforces them in practice - through policies and codes of conduct, and by example. 


Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, or 

expected standards of ethical or moral behavior N Ö 
and have they been implemented and 

communicated effectively? 


Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and N D 








des of conduct and other policies regarding acceptable 
siness practices, conflicts of interest, or expected 
indards of ethical or moral behavior exist and have 

en implemented. 






ted to ensure that 
f conduct? 









Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 

If a written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? 

Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 
do if they encounter improper behavior? 












Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement any 
appropriate changes in company policies or 
business practices in a timely manner? 


Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation; 
occupational safety and health; environmental protection; 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons; 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local; HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance; communications; 





Is a register and record of complaints 
maintained regarding significant laws with 
which the entity is required to comply within its 









Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 









Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 
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Description of 
SMTA control 





Control Considerations 
Are training programs/workshops cone ucted to 


ensure that employees are familiar with the 
recent changes/ammendments of laws to have 
better idea of these cheanges? 


Control Objectives 


str. on; medical; real estate; transportation ü 












Ts commitment to integrity and ethics 
communicated effectively throughout the 
anization, both in words and deeds? 

Do employees feel peer pressure to do the right 
avoid cutting corners to 


one at the top," including explicit moral guidance 
out what is right and wrong, has been established and 
mmunicated throughout the organization. 









Does management app 
that problems exist, e.g., potential defective 
oroducts or hazardous wastes, es pecially when 
Are training programs/workshops conducted for 
employees’ moral guidance regarding 

cy for prohibiting employees 
from vendors? 


Management conducts business with employees, e everyday dealings wi 
uppl. -, customers, investors, creditors, insurers, pliers, employees, and other parties based on 
‚ompetitors, and auditors, etc. on 4 high ethical plane and honesty and fairness (e.g. customer's over- 









nsists that others do so. payment or supplier's under billing is not 
ignored; no efforts are made to find a way to 
reject an employee’s legitimate claim for 
benefits; and reports to lenders are complete, 


ate, and not misiead ne)? 













oes management respond appropriately to 
al standards? 
a result of 


violations widely communicated in the entity? 








the organization. 





Do employees believe that, if caught violating 
behavioral standards, there will be 
repercussions? 

Has management provided guidance on the 
situations and frequency with which 
intervention may be needed? 


Is management intervention documented and 
explained appropriately? 





Remedial action taken in response to departures from 
approved policies and procedures is appropriate and is i 
communicated or otherwise becomes known throughout 








Management’s intervention of established controls is 


appropriate and well controlled. 











Are deviations from established policies 
investigated and documented? 








Is there an absence of extreme incentives or 
temptations that can unnecessarily and unfairly 
test people's adherence to ethical values? 


The achievement of performance targets is reasonable - 
particularly for short-term results - and compensation is 
not overly dependent upon their achievement. 











Are compensation and promotions based on 
factors other than solely the achievement of 








might otherwise exist? 
Commi nce - Management must specify the level of competence needed for partic 


desired level of competence into requisite knowledge and skills. 


ular jobs, and translate the 









Page 2 of 17 


O 








Description of 
SMTA control 





Control Objectives Xx Control Considerations 
tm. . or Informal job descriptions or other means of Has management analyzed, on a formal or 
fining tasks that comprise particular jobs have been informal basis, the tasks comprising particular 
tablished. jobs, considering such factors as the extent to 

which individuals must exercise judgment and 
he extent of related pervision? 
Has management adequately determined the 


knowledge and skills needed to perform 


particular jobs? 
Does evidence exist indicating that employees 


and key managers appear to have the requisite 
knowledge and skills for their job functions? 






nalyses of the knowledge and skills needed to perform 
bs adequately have been performed. 














Does management demonstrate a commitment 
to provide sufficient competent accounting and 

financial personnel to keep pace with the growth 
and/or complexity of the business? 
The SMTA Board or Audit Committee - The board and 
ts audit committee play an important role in setting 
the 2 at the top. Qualities include the board or 
audit committee's independence from management, 
the experience and stature of its members, the extent 
of its involvement and oversight of activities, the 
degree to which difficult questions are raised and 
pursued with management, and its interaction with 





Independence from management has been achieved, such 
that necessary, even if difficult and probing, questions are 
raised. 


Does the board include independent 
directors/members with appropriate background 
and expertise, given the nature of SMTA? 









Has the independence of outside board members 
been adequately reviewed, including 
affiliations? 
Does the board constructively challenge 
management's planned decisions for strategic 
initiatives and major transactions, and probe for 
explanations of past results (e.g., budget 
ariances)? 
Does the board and/or audit committee 
represent an informed, vigilant and effective 
overseer of the financial reporting process and 
























Does the board and/or audit committee give 
sufficient consideration to understanding 
management's processes for monitoring business 
risks affecting the organization? 

Does a board that consists solely of an entity’s 
officers and employees (e.g., a small 
corporation) question and scrutinize activities, 
present alternative views and take appropriate 
action i ary? 

Do board committees exist? 
















Board committees are used, where warranted by the need 
for more in-depth or directed attention to particular 
matters. 





Are the existing committees sufficient, in 
subject matter and membership, to deal with 
important issues adequately? 
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Description of 


Control Considerations SMTA control 


Where an audit committee exists, is there a 
charter outlining its duties and responsibilities? 





j Control Objectives 


> 








Does the audit committee have adequate 
resources and authority to discharge its 

responsibilities? 
Do directors/members have sufficient 
knowledge, industry experience and time to 


serve effectively? 
Does the audit committee include at least one 
"financial expert"? 

Does the audit committee meet privately with 
the chief accounting officer(Director F&A) and 
internal and external auditors to discuss the 
reasonableness of the financial reporting 
process, system of internal control, significant 
comments and recommendations, and 


Does the audit committee review the scope of 
activities of the internal and external auditors at 


least quarterly? 
Does the board regularly receive key 


information, such as business plans, financial 





S 


š 








rectors/members on the board are knowledgeable and 
perienced. 














2quency and timeliness with which meetings are held 
th Dirctor (F&A) and/or accounting officers, internal 
ditors and external auditors are adequate. 




















fficient information is provided to the board or 
mmittee members on a timely basis to allow 

mitoring of management's objectives and strategies, the 
tity's financial position and operating results, and terms 
significant agreements. 








ee kept apprised of 
accounting standards / Government Policies that 
impact SMTA, particularly with respect to 





fficient sensitive information is provided to the board 
audit committee regarding investigations and improper 
s (e.g., project delays, cost over runs, travel expenses 
senior officers, significant litigation, Investigations of 
rulatory agencies, defalcations, embezzlement or 

suse of corporate assets, violations of insider trader 

es, political payments, illegal payments). 


Does a process exist for informing the board of 
ificant issues? 
Is information communicated in a timely 
manner? 








e board and/or audit committee provides oversight in 
termining the compensation of executive officers and 

ernal auditor, and the appointment and termination of 
se individuals. 


Does the compensation committee approve all 
management incentive plans tied to 








Does the compensation committee, in joint 
consultation with the audit committee, deal with 


Cnos 


= 
~> 





Den 


e board and/or audit committee has a significant role 
establishing the appropriate "tone at the top." sufficiently in evaluating the effectiveness of the 
"tone at the top"? 
Does the board take steps to ensure an 


appropriate "tone"? 
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Description of 
SMTA control 





Control Objectives Lal 


The board or audit committee takes appropriate actions 
as a result of its findings, including special investigations, 


Control Considerations 
Does the board specifically address 
management's adherence to the code of 


conduct? 
Has the board or audit committee issued 


directives to management detailing specific 


actions to be taken? 
Does the board or audit committee oversee and 


take prompt action to follow-up its findings? 











as needed. 


EE 


Management's Philosophy And Operating Style - Management's attitudes toward controls are reflected in how it accepts and 
manages business risks. Management may be conservative or aggressive in selecting accounting principles and in developing 


Management evaluates business risks prior to accepting Does management move cautiously, proceeding 
those risks (e.g., high risk ventures, extremely X < 
conservative ventures). 


only after carefully analyzing the risks and 
Man: nent monitors personnel turnover in key 
functions (e.g., operations, accounting, data processing, 
Internal audit). 


potential benefits of a venture? 
Are there appropriate policies for such matters 
Management has the appropriate attitude relative to the 
information systems processing and payment & 
accounting functions, and is concerned about the 


as accepting new business and conflicts of 
interest which are adequately communicated 
reliability of financial reporting and the safeguarding of 
assets. 














hroughout the organization? 
Has turnover of management or supervisory 
personnel been normal, rather than excessive? 








Have key personnel left only after giving proper 
notice, rather than quitting unexpectedly or on 
short notice? 
Has turnover of personnel other than 
management been normal, rather than 
excessive? 
Does management give appropriate attention to 
internal controls? 
Is the accounting function viewed as a vehicle 
for exercising control over the entity's various 
activities, rather than as a necessary group of 














Does 
government principles used in financial 
statements result in a fair presentation, as 
opposed to always resulting in the highest 
eported savings? 

If the accounting function is decentralized, does 
operating management “sign off” on report 
results? 
Do business unit accounting personnel also have 
responsibility to central financial officers? 


E 


eye] ES 
N 








< 


Are valuable assets, including intellectual 
property and information, protected from 
unauthorized access or use? 
Do senior managers frequently visit projects or 
divisional operations? 
Are project or divisional management meetings 


held frequently? 
Is there a mechanism available to remotly 


access overall project progress? 





There is frequent interaction between senior management 
and operating management, particularly when operating 
from geographically remote locations-. 











Management has a positive attitude and takes appropriate 
actions toward financial / Government / Donor reporting, 


Does management avoid excessive focus on 
short-term reported results? 
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Description of 
SMTA control 






Control Considerations 
Are personnel restricted from submitting 
inappropriate reports to meet targets (e.g., 
salespeople submitting orders to meet targets, 
knowing customers will return goods in the next 


Control Objectives 


uc...g disputes over application of accounting 
tments (e.g., selection of conservative vs. liberal 





icies, whether accounting principles have been 
applied, important financial information not 
slosed, or records manipulated or falsified). 





Have managers’ actions been proper, with no 
apparent signs of inappropriate practices? 

anizational Structure - The organizational structure is the framework that allows a compan to carry out its activities. It 
ines how the parts of SMTA fit together, defines key areas of responsibility and establishes lines of authority and 

ropriateness of an entity's organizational structure depends on its size, its goals and the nature of its 








ivities. 


2 entity's organizational structure, and its ability to 
wide the necessary information flow to manage its 
ivities, are appropriate. 





Is the organizational structure appropriately 
centralized or decentralized, given the nature of 
the entity's operations? 
Does the structure facilitate the flow of 

information upstream, downstream and across 


all business activities? 
Are responsibilities and expectations for the 


entity's business activities communicated clearly 
to the executives in charge of those activities? 











y managers' responsibilities are adequately defined, 
ne `s understand these responsibilities, and their 
>wledge and experience are adequate in light of their 
ponsibilities. 


porting relationships are appropriate within the entity. I 


Are knowledge and experience of key managers 
their responsibilities? 
Are established reporting relationships (whether 
formal or informal, direct or matrix) effective, 
and do they provide managers information 
appropriate to their responsibilities and 









Do the executives responsible for business 
activities have access to communication 


channels to senior operating management? 
Does management periodically evaluate the 


entity's organizational structure in light of 


changes in the business or industry? 
Do managers and supervisors have sufficient 


time to carry out their responsibilities 





odifications to the organizational structure are made 
propriately based on changed conditions. 









ifficient numbers of employees exist, particularly in 
anagement and supervisory capacities. 





Do managers and supervisors work normal, 
rather than excessive amounts of overtime, thus 
fulfilling a manageable level of responsibilities 
for one emplovee? 
bility - The assignment of responsibilities, delegation of authority and establishment of 
lated policies provide a basis for accountability and control. It involves the degree to which individuals and teams are 
ıcouraged to use initiative in addressing issues and resolving problems as well as limits of their authority. A critical 


1allenge is to delegate only to the extent required to achieve objectives 
| jer 


esponsibility and delegation of authority are assigned to 
zal with organizational goals and objectives, operating 
inctions and regulatory requirements, including 


t of Authority and Responsi 





Is authority and responsibility assigned to 
employees throughout the entity? 
Are the number of people with requisite skill 


levels relative to the size of the entity, nature 
and complexity of activities and systems 
Do job descriptions contain specific references 
to control-related responsibilities? 











formation systems and authorization for changes. 








ontrol-related standards and procedures, including 
nployee job descriptions are appropriate. 
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Description of 
SMTA control 





Control Objectives = Control Considerations 
ity i i i Is there is an appropriate balance between 


eg...d authority in relation to assigned 

yonsibilities is appropriate. uthority needed to "get the job done" and the Yes 
involvement of senior personnel where needed? yes | 
Are employees at the “right” level of 
empowerment to correct problems or implement 
improvements, and is empowerment Ves 
accompanied by appropriate levels of 
competence and clear boundaries of authority? 

E 









Is responsibility for information systems 
processing and program development clear? 





man Resources Policies and Practices - Human resource policies and practices relate to hiring, training, evaluating, 
npensating and terminating employees. Management's expectations of performance and behavior are communicated 
'ough training and performance review. 


licies and procedures for hiring, training, promoting Are there policies and procedures for hiring, 

i compensating employees are in place. training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.g., 
a ing, sales)? 
Do existing personnel policies and procedures 








result in recruiting or developing competent and 
trustworthy people necessary to support an 
effective internal control system? 





When formal documentation of policies and 
procedures does not exist, does management 
communicate expectations about the type of 
people to be hired or participate directly in the 


ople are made aware of their responsibilities and 
pectations for them. 





Is management's response to failures to carry 
out assigned responsibilities appropriate? 





proved policies and procedures are appropriate. 


Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





Do employees understand that ineffective 
performance will result in remedial 


medial action taken in response to departures from 


Are integrity and ethical values considered as 
criteria in performance appraisals? 
Are candidates with frequent job changes or 
gaps in employment history subjected to 


particularly close scrutiny? 
Do hiring policies require investigation for a 
criminal record? 
Are promotion and salary increase criteria 
detailed clearly so that individuals know what 
management expects prior to promotions or 
advancement? 


srsonnel policies address adherence to appropriate 
hical and moral standards. 

mployee candidate background checks, particularly 

ith regard to prior actions or activities considered to be 
1acceptable by the entity, are performed. 











mployee retention, promotion criteria, information- 
athering techniques (e.g., performance evaluations) and 
slation to the code of conduct or other behavioral 
uidelines are adequate. 


Do supervisory personnel meet periodically 
with employees | to review job performance and yes 
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Description of 
SMTA control 














i Control Objectives Control Considerations 
u Does criteria reflect adherence to behavioral | yer | 
_ standards? I 
isk Assessment Ë: — 


itity- Wide Objectives - Entity-wide objectives, required to have effective control, include broad statements or what an 
itity desires to achieve, and are supported by related strategic plans. Objective setting is a precondition to risk assessment. 
here first must be objectives before management can identify risks to their achievement and take necessary actions to 


anage the risks. 
Has management established entity-wide 


atity-wide objectives provide sufficiently broad 
atements and guidance on what the entity desires to objectives? 
shieve, yet are specific enough to relate directly to this Are the entity wide objectives different than 








itity. generic objectives that could apply to any entity 
(e.g., generate sufficient cash flow to service 
debt, or produce a reasonable return on 











eriodically undated. directors/members? 


Does management obtain feedback from key I 
managers, other employees and the board Ye) 
signifying that communication to employees is 
effective? 
3usiness/Operational strategies are consistent with entity- E the strategic plan support the entity-wide w53 | 
wide objectives and regularly reviewed. objectives? 

a 

Eza 


n ni 
‚ntity-wide objectives are effectively communicated to Is information on the entity-wide objectives 
mployees and board of directors/members and disseminated to employees and the board of 





Does the strategic plan address high level 








directors/members? 


Business/Operational plans and budgets are consistent Do assumptions inherent in the plans and 
with entity-wide objectives, strategic plans and current budgets reflect the entity's historical experience 






and current conditions? 
Are plans and budgets at an appropriate level of 


detail for each management level? 
Activity-Level Objectives - Activity-level objectives flow from and are linked with the entity-wide objectives and strategies. 
Activity-level objectives are frequently stated as goals with specific targets and deadlines. Objectives are established for each 
significant activity, and those activity-level objectives are consistent with each other. 


conditions. 









-level objectives been established 





Have activity 
for all significant business processes? 
Is there adequate linkage between activity-level 
objectives, entity-wide objectives and strategic 


plans? 
Are activity level objectives reviewed from time 


BZ 
EA 
to time for continued relevance? MU: 
| 
= 
| yes | 


Activity-level objectives have been established; there is 
linkage between activity-level objective and entity-wide 
objectives; and strategic plans and objectives are 
consistent. 









Are they complementary and reinforcing within 
activities? 
Are they complementary and reinforcing 


between activities? 
Are objectives established for key activities in 


the flows of goods and services and support 
activities? 


Activity-level objectives are consistent with each other. 






Activity-level objectives are relevant to all significant 
business processes. 
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Description of 
SMTA control 





š Control Objectives | Control Considerations 


Are activity level objectives consistent with past 
i performances or with industry or 
trics, and have the reasons for 
onsidered? 
ablished for each significant 


tivity-level objectives are specific, measurable and are o objectives include assessment criteria that 
‚nitored. Adequate resources are available to achieve are specific, measurable, achievable, realistic 

















> objectives. 











Are objectives monitore 





Are current resources sufficient to achieve 
ent identified the 


bjectives that are important (critical success factors) to d what must go right, 
shievement of entity-wide objectives are identified. ded, for entity- 
management' 
importance of obj ectives? 
Do the objectives serving as critical success 
factors provide a basis for particular 


management focus? 


All appropriate levels of management are involved in Do managers participate in establishing activity 
objective setting and demonstrate commitment to the “ectives for which they are responsible? 






























objectives. 








Do managers support the objectives, and not 
have "hidden agendas? 
Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
level and the activity level. The risk-assessment process should consider external and internal factors that could impact 
achievement of the objectives, should analyze the risks, and provide a basis for managing them. 


Are there adequate mechanisms in place to 
that prevent the 
objectives? External 
See 



























Mechanisms are in place to identify risks arising from 
external sources. 








Supply sources 





Technology changes 


Creditor's demands | yas | 


Competitor's actions 





Economic conditions 
Political conditions 





Regulation 
— Natural events 





Mechanisms are in place to identify 
internal sources. 


Are there adequate mechanisms in place to 
identify internal risks that prevent the 

achievement of business objectives? Internal 
may include: 
Human resources (e.g., retention of key 


risks arising from 















Finance (e.g., availability o 


initiatives or continuation of ke 
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i Control Objectives 


1e risk analysis process is thorough and includes 
timating the significance of risks, assessing the 
celihood of their occurring and identifying steps to 
itigate them. 


he risk assessment process is adequately monitored by 
snior management and/or the board. 


ar „ng Change — Economic, industry and regulatory environments change and entitie 


ıeeded to identify and react to changing conditions. 


Aechanisms exist to anticipate, identify and react to 
outine events or activities that affect achievement of 
mtity or activity-level objectives. 


Mechanisms exist to identify and react to changes that 
can have a more dramatic and pervasive effect on the 


entity, and may demand the attention oftop management. 





rules. 


The accounting department has established processes to 
(1) identify significant changes in International Public 
Sector Accounting Standards (IPSAS) / Government 
Financial Rules (GFR) promulgated by relevant 
authoritative bodies (Controller General of Accounts), 
(2) notify the accounting department of changes in the 
entity’s business practices that may affect the method or 
the process of recording transactions, and (3) identify 
significant changes in internal control or the operating 
environment, including changes as a result ofnew or 
changing regulations 





Control Considerations 


-  Sales/Ticketing 


— Research & Development 





Ar 
risks for each entity/projec/directorate and 
significant activity-level obj ective? 


Are risks analyzed to determine their 
significance and rate the likelihood and 






D 

react to routine events or activities that affect 
achievement of entity or activity-level 

Are risks and opportunities related to the 
changes addressed at sufficiently high levels in 


mission and strategy and therefore affect entity- 
wide and activity-level objectives (e.8., rapid 
growth, new products, business acquisition, 





Description of 
SMTA control 





Information technology 











Marketing/Communicaton 
e procedures performed to identify significant 








consequence of their occurring? 


Are risks analyzed to determine what steps are 
required to mitigate the risk, if appropriate? 

Does the board or audit committee oversee and 
monitor the risk assessment program and ensure 
appropriate action is taken for significant risks? 











s’ activities evolve. Mechanisms are 





o mechanisms exist to anticipate, identify and 








the organization so their full implications are 
identified, and appropriate action plans 


ormulated? 
Are mechanisms in place to identify and react to 


changes that may impact the organization's 








IPSAS/GFR Compliance — Entity accounting practices should accurately reflect current IPSAS/GFR and other regulatory 


Does the accounting department have a process 
in place to identify and address changes in 

IPSAS/GER, as well as for approving changes 
in accounting made to address such changes? 








Does management work with SMTA’s 
independent auditors or other third party experts 
to determine if they are addressing complex 
changes in IPSAS/GFR appropriately? 





Does the board of directors/members and/or the 
audit committee review and approve significant 
changes in the entity’s accounting practices? 
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j Control Objectives 





Control Activities 
Policies and Procedures - Policie 
be done and procedures explain how it is carried out. 
Policies may be communicated orally or written. 
Regardless of method they must be implemented 
conscientiously and consistently. 








s establish what should 








Description of 
SMTA control 






Control Considerations 
Are there processes to ensure the accounting 
department is made aware of changes in the 
operating environment so they can review the 
changes and determine what, if any, effect 
change may have on the entity’s accounting 


Did 
ication between 
in charge of monitoring regulatory rules so the Yes 
accounting department is aware of regulatory 
changes that could affect the entity’s accounting 
practices? 


Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 
determine whether such transactions are 
appropriately accounted for and disclosed? 


Evaluate to what degree the DFA and Controller 

periodically review and approve the accounting D if 
practices as being in accordance with 

IPSAS/GER and meeting the needs of the issuer. Ena 


Does the DFA or Controller review and assess 

the ability and expertise of accounting personnel j 
at each of its subsidiaries to properly report 

relevant information for disclosure purposes? 


Are there controls in place to ensure relevant 
information is captured at the lowest level to 
ensure proper reporting at the consolidated 

























Are there policies and procedures in place to 
ensure the preparation of the statement of cash 
flows is in accordance with applicable 





Are there policies and procedures (informal or 
documented) for generation of accounting 
transactions and financial statements and over 


developing and modifying accounting systems 










Are accounting and closing practices followed 
consistently at interim dates (e.g. monthly, 
throughout the year? 

Do appropriate levels of management review 
significant accounting estimates and support for 
unusual transactions and non-standard journal 









ons timely and 








appropriate? 
Are policies and procedures reviewed 
periodically to determine continued 

appropriateness? 
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Description of 


Control Objectives SMTA control 


Does ownership of policies and procedures 
reside with the appropriate levels of 
management? 


igetary Controls - Management has clear budget, Does a budgeting system exist and is it 

fit, and other financial and operating goals. These appropriate and comprehensive in relation to 

Js are clearly written and communicated throughout 

entity, and are actively monitored and variances Does management appropriately review key 
performance indicators regularly and identify 
Are significant variances investigate 


N 


efi sje k 












Iressed. 
significant variances? 
d and is 
appropriate corrective action taken? 

Are variances in planned performance 
communicated and discussed with the board of 
directors/members and/or audit committee on a 
erly ba is? 





Do financial statements and management reports 
submitted by various reporting units include 
analytical comments and anal sis? 


sere “ion of Duties — Duties are logically divided or Is there appropriate segregation of incompatible 
:gregated (whether manually or through appropriate set duties in general? 


Er 





9 of information technology applications) among 
ifferent people to reduce the risk of fraud or 

1appropriate actions. Note: Specific areas o 
on of duties will be covered within the business 


afeguarding of Assets - Periodic comparisons are made Has management established procedures to 
£ amounts recorded in the accounting system with prevent unauthorized access to, or destruction 









Š 


ıhysical assets. Adequate safeguards are in place to of, documents, records, and assets? 
yrevent unauthorized access to or destruction of Are significant or recurring adjustments 
locuments, records, and assets. Note: S ecific areas o investigated to determine the reason for the 
safeguarding of assets will be covered within the adjustment and are appropriate actions taken to 
address the root causes for the adjustments? 












Shareholder Matters — Shareholder matters should be 
properly authorized and recorded. 








Stockholder records, stock issuance and 
treasury stock transactions? 

Communications with stockholders? 
Are stockholder records completely and 


accurately maintained? 
Are transactions for the following valid, 
authorized, complete, accurate and processed on 








dl 




















stock Y ej 
T ae 





Information and Communication 


Information - Information is identified, captured, process information sys 
includes industry, economic and regulatory information obtained from external sources, as well as internally generated 


mation enables people to carry out their responsibilities. 








tems. Relevant information 












information. This infor 
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Description of 
SMTA control 





Control Considerations 


e Do procedures require that management 
review control processes to ensure that the 


a Control Objectives E 


er... and internal information is obtained, and 
vides management with necessary reports on the 
ity's performance relative to established entity-wide 
ectives. 

mation is provided to the right people in sufficient 
til and on time to enable them to carry out their 
yonsibilities efficiently and effectively to achieve 
vity-level objectives. 


rmation systems provide management with necessary 
rts on the entity’s performance relative to established 
ıctives. 









e Are procedures in place to monitor when 
controls are overridden and to determine ifthe 
override was appropriate? 

e Are policies/procedures in place to assure 
that corrective action is taken on a timely basis 

ontrol exceptions occur? 

Is internally generated information critical 
to achievement of the entity's objectives 
ed and regula eported? 


Do managers receive information that 
enables them to identify what action needs to be 














Is information summarized appropriately, 
providing pertinent information while 
permitting closer inspection of details as needed 
ather than justa "sea of data"? 
Is information available on a timely basis 
to allow effective monitoring of events and 
activities - internal and external - and prompt 
reaction to economic and business factors and 









Is the entity able to prepare accurate and 
timely financial reports, including interim 
eporl 2 
° Isthere a high level of user satisfaction 
with information systems processing, including 
iability and timeliness of reports? 

Has the internal control environment at the 
service organization been documented and 















sactions that are executed/processed by service 
nizations are effective. 






e Does the timing of the documentation and 
testing performed by the independent third party 
cover a significant portion of the year? 






<< < 
i 






nal controls over significant applications or Í 


imunication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
ing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 
up an organization and with parties external to the organization. 


loyees' duties and control responsibilities are 
tively communicated. 


inels of communication for people to report 
:cted improprieties have been established. 










> 





e Are employees’ roles and responsibilities 
regarding internal control and risk assessment 
communicated clearly and effectively by 






Do employees know the objectives of their 
own activity and how their duties contribute to 
achieving those-Obiectives? 
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Control Objectives 


'anagement is receptive to employee suggestions of 
ays to enhance productivity, quality or other similar 
aprovements? 


ommunication across the organization is effective (for 
xample, between procurement and production activities) 
nd the completeness and timeliness of information is 


uff tto enable people to discharge their 
ssponsibilities effectively. 


“hannels with customers, suppliers and other external 
Jarties for communicating information on changing needs 


ire open and effective. 


Outside parties are made aware of the entity's ethical 


standards. 


Follow-up action by management resulting from 
communications received from customers, vendors, 
regulators or other external parties is timely and 
appropriate. 


e Are persons who report suspected 
ESG provided feedback, and do they 
3 eprisals? 
Are all reported potential improprieties 
reviewed, investigated and resolved in a timely 
manner? 


Er delivered by management level 
commensurate with the nature and importance 
of the message (e.g., senior executive 
periodically men in we the entity's 
anaara e nar 
Do nn atomets md others know 
the entity's standards and expectations regarding 








Description of 
SMTA control 





Control Considerations 
Is anonymity permitted? 









e Are realistic mechanisms in place for 
employees to provide recommendations for 
mprovement? 

e Does management acknowledge good 
angles suggestions by ee cash awards 





e Does information on competitors' new 
or me reach engineering, 


e Are suggestions, complaints and other 
input ee and communicated to relevant 





Are important communications to outside 













actions in dealing with the entity? 
e  Areimproprieties by employees of external 
parties reported to the appropriate personnel? 






+ Are personnel receptive to reported 
problems regarding products, services or other 
matters, and are such reports investigated and 





Are errors in customer billings corrected, 
and the source of the error investigated and 






e Are appropriate actions taken and is there 


follow-up communication with the original 
es? 


Page 14 of 17 








Description of 





u Control Objectives Control Considerations SMTA control 
Is senior management aware of the nature Yes 
Tonitoring = Sr ne 


ngoing Monitoring - Ongoing monitoring occurs in the ordinary course of operatio 
1d supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal 
trol system performance. Note: Additional monitoring controls will be covered within the business process analysis sections. 








arsomnel, in carrying out their regular activities, 
¡gularly obtain evidence as to whether the system of 
ternal control continues to function. 


e _ Are operating personnel required to “sign 
off” on the accuracy of their units” financial 
statements, and are they held responsible if 
erro ore d i avere d? 

Are customers’ complaints recorded and 
investigated for their underlying causes? 
Are suppliers' complaints of unfair 
practices by purchasing agents recorded and 

fully investigated? 

Do regulators communicate information to 
the entity regarding compliance or other matters 
that reflect on the functioning of the internal 








ommunications from external parties, that corroborates 
ternally generated information or indicates problems, is 
fectively gathered and used. 









Are controls that should have prevented or 
detected the problems reassessed? 
Are there periodic comparisons of 
accounting records to physical assets? 
Do executives with proper authority decide 
which of the auditors' recommendations will be 






here is periodic comparison of amounts recorded by the 
¿counting system with physical assets. 

fanagement is responsive to internal and external 

Aditor (or external regulator) recommendations on 

1eans to strengthen internal controls. 





implemented? 
Are desired actions followed up to verify 








Are relevant issues and questions raised at 
training seminars captured? 
2ssions and other meetings. 








{anagement monitors actions toward financial reporting, 
icluding disputes over application of accounting 
‘eatments (e.g., selection of conservative vs. liberal 
ccounting policies, whether accounting principles have 
een misapplied, important financial information not 
isclosed, or records manipulated or falsified). 


Does management monitor actions toward 
financial reporting, including disputes over 
application of accounting treatments? 





ersonnel are asked periodically to state whether they 
nderstand and comply with the entity's code of conduct 


nd regularly perform critical control activities. 
‘he scope and extent of internal audit activities is 


ppropriate. 


Are signatures required to evidence 

performance of critical control functions, such 
onciling specified amounts? 

Are there appropriate levels of competent 

and experienced staff? 

Is their position within the organization 









appropriate? 
Do they have access to the board of 
directors/members or audit committee? 








Are their scope, responsibilities and audit 
plans appropriate to the organization's needs? 


Tanagement seeks feedback on whether controls operate 
ffectively when conducting training seminars, planning 
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Description of 
Control Objectives Control Considerations SMTA control 


mi. ¿e Evaluations - It Is useful to take a fresh look at the internal control system from time to time, focusing directly on 
‘stem effectiveness, the scope and frequency of separate evaluations will depend primarily on an assessment of risks, and 
ıgoing monitoring procedures. 


he scope, frequency and methodology of separate + Are appropriate portions of the internal 
valuations of the internal control system is adequate. ontrol system regularlı evaluated? 









e Are the evaluations conducted by 
»ersonnel with the requisite skills? 

e Are the scope, depth of coverage and 
frequency adequate? 

e Does such methodology include checklists, 
questionnaires or other tools? 


Che evaluation process is appropriate and the objectives + Does the evaluator gain a sufficient 
yf the evaluation are clearly stated. derstanding of the entity's activities? 












e Isan understanding obtained of how the 
em is supposed to work and how it actually 









iS 





Is an analysis made, using the evaluation 
results as measured against established criteria? 








+ Is the evaluation team brought together to 
plan the evaluation process and ensure a 
coordinated effort? 
° Ts the evaluation process managed by an 
executive with requisite authority? 
e Are policy manuals, organization charts, 
operating instructions and the like available? 
e Ts consideration given to documenting the 
evaluation process? 
Reporting Deficiencies - Internal control deficiencies should be reported upstream with certain ma 
management and the board. 


adequately defined. 









The methodology for evaluating a system is logical and 
appropriate and interim and final deliverables are 





The level of documentation developed during and 
resulting from the evaluation is appropriate. 





tters reported to top 








Mechanisms exist for capturing and reporting identified 
internal control deficiencies. 


+ Do mechanisms exist for capturing and 
reporting deficiencies from both internal sources 
and external sources (e.g., customers, suppliers, 








e Do mechanisms exist for capturing and 
reporting deficiencies resulting from ongoing 
itoring o enarate evaluations? 

e Are deficiencies reported to the person 
directly to appropriate individuals? 

e Are specified types of deficiencies 
reported to more senior management and to the 
° Is the identified transaction or event 
corrected? 

e Are the underlying causes of the problem 
investigated? 
e Is there follow-up to ensure the necessary 


2 
Areca pt 5 
PRAN 
REA j 














Reporting protocols are appropriate and are followed. 














Follow-up actions are timely and appropriate and are 


reviewed by management. 

























Fraud — Fraud prevention programs arè essential to set the right tone for an effective internal control 
internal controls provide better opportunities to detect and deter fraud. 














Management has implemented formal communication 
mechanisms, internal controls, and internal or external 
oversight processes to effectively prevent or deter fraud. 


Is there a positive workplace environment that 
minimizes employees’ sense of feeling abused, 
threatened or ignored? 
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Control Objectives 





Aanagement has included the identification of fraud risks 
1 its entity--wide risk assessment program or has 
stablished a separate risk assessment program that 
onsiders the vulnerability of SMTA to fraudulent 
ctivities. 


Description of 


Control Considerations SMTA control 


Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 
trust? 

Does SMTA react to and deal with acts of fraud 
in a manner that sends a strong message 
throughout SMTA that helps reduce the 
likelihood of inci 2 


programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 

Do communications to external parties regularly 
state SMTA's position on fraudulent activity and 
the potential consequences if fraud is detected? 


Has management implemented and does it 
continuously monitor the operation of internal 
controls designed to mitigate the risk of fraud? 


Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 
appropriate influence over the financial 
reporting process? 


Does management make changes to the 
processes of the organization to reduce or 


eliminate the risk of fraud? 
Does the audit committee or board of 


directors/members evaluate management's 
identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 


Does management review identified fraud risks 
with the audit committee and seek guidance 
from the audit committee as to other associated 


Do internal auditors examine and evaluate 
adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 
proactive auditing: to search for corruption, 
misappropriation of assets, and financial 


statement fraud? 
Does management perform fraud brainstorming 
sessions? 


Have critical controls been identified to address 
identified fraud risks? 

Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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GOVERNMENT OF SINDH 
Karachi Urban Mobility Pro ject 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT 
DEPARTMENT 


No. SHEQ/YLC/SMTA/2021/ 001 Karachi Dated: July 19, 2021 





Financial Management Specialist, 

Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 

Karachi. 


GOVERNANCE ASSESSMENT OF SINDH MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK KARACHI 


MOBILITY PROJECT). 





SUBJECT: 





I am in receipt of your letter reference number 


FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 


and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 


to you. 
SAFETY HEALTH ENVIRONMENT 
AND QUALITY SPECIALIST 
C.c to: 
1. PS to Project Director, Karachi Mobility Project. 
2. Master File. 
Enclosure: 


1. Filled-in Questionnaire 








House # D-43/1, Block 2 Clifton, Karachi, 75600 Tel: 02 


1 99333208 Ext.30 Email: sheq.kmp.yle@gmail.com 


GOVERNMENT OF SINDH 4 3 
Karachi Mobility Project 


E (YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 


TRANSPORT & MASS TRANSIT DEPARTMENT 


No. FMS/CG/YLC/SMTA/2021/425b Bra. De y NA 
To, " 
\ 
1. Director HR & Administration, 2. Director F & A, SMTA 
SMTA 
3, Director Infrastructure & Projects, 4. Procurement & Contract Management 
SMTA Specialists , KMP-YLC 
v. Safety Health Environment Quality 6. Gender Specialist KMP-YLC 
Specialist KMP-YLC 
7. Communication Specialist KMP- 8. Social Specialist KMP-YLC 
YLC 
Subject: GOVERNANCE ASSESSMENT OF SINDH MASS _ TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO 8995-PK RACHI 











MOBILITY PROJECT). 


I am directed to refer to the subject mentioned above and to say that Government 
of Sindh, through Sindh Mass Transit Authority (SMTA), Transport and Mass Transit 
Department (TMTD) is implementing Karachi Urban Mobility Project Yellow Line Corridor, 
which is funded the World Bank under IBRD Loan No. 8995-PK (Karachi Mobility Project) . 
The World Bank has now required to assess and report to the Bank over all Governance 
Structure and Internal Controls of Sindh Mass Transit Authority. 


In this regard, the World Bank has approved a questionnaire that is requested to 
be filled in by all directorates and projects under the control of SMTA. The same questionnaire 
is attached for your office to be filled in and sent back to the Project Director Karachi Mobility 
Project — Yellow Line BRTs by the close of business day on 16-07-2021 by surface mail / hard 


copy as well as on email to 
questionnaire will also be emailed to you. ON 


Cc: 





1. PS to the Secretary Transport and Mass Transit Department, Government of Sindh 


2. PS to the Managing Director Sindh Mass Transit Authority, TMTD, Government of Sindh 
3. PS to the Project Director, Karachi Mobility Project 


ee 
Plot No. D-43 & D-43/1, Shahra-e-Ghalib, Block -2, Clifton, Karachi-Ph # 021-99332207-8 


ENTITY LEVEL CONTROLS 


Control Objectives 
Control Environment 








Integrity, ethical values, and behavior of key executives - The effectiveness of controls depends on the integrity and ethical 


Description of 


s SMTA control 





Control Consideration 


values of the people who create and administer them. The control environment is influenced by how management 
communicates ethical standards and reinforces them in practice - through policies and codes of conduct, and by example. 





Codes of conduct and other policies regarding acceptable 
business practices, conflicts of interest, or expected 
standards of ethical or moral behavior exist and have 
been implemented. 


Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation; 
occupational safety and health; environmental protection; 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons; 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local; HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance; communications; 


> 









Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, or 
expected standards of ethical or moral behavior 
and have they been implemented and 
communicated effectively? 








Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and 








J O 
insider trading? N 
Are the codes periodically acknowledged by all O 
employees? A 
Are training programs conducted to ensure that 
employees understand the codes of conduct? No 





Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 
If a written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? 
Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 
do if they encounter improper behavior? 





“E 
a 
i, 





\ 


`< 
rs 
nm 









Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement any 
appropriate changes in company policies or 
business practices in a timely manner? 


& 
© 





Is a register and record of complaints 
maintained regarding significant laws with 
which the entity is required to comply within its 


© 


Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 






yes 


Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 


ag 
N 
Na 
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Description of 
SMTA control 





Control Objectives Control Considerations 


‘ormal or Informal job descriptions or other means of Has management analyzed, on a formal or 

lefining tasks that comprise particular jobs have been informal basis, the tasks comprising particular 
stablished. jobs, considering such factors as the extent to 

which individuals must exercise judgment and 

he ex ision? 


ent QO ated Der 
\nalyses of the knowledge and skills needed to perform Has management adequately determined the 
obs adequately have been performed. knowledge and skills needed to perform 
particular jobs? 
Does evidence exist indicating that employees 















and key managers appear to have the requisite 
knowledge and skills for their job functions? 





Does management demonstrate a commitment 
to provide sufficient competent accounting and 

financial personnel to keep pace with the growth 
and/or complexity of the business? 





audit committee's independence from management, 
the experience and stature of its members, the extent 
of its involvement and oversight of activities, the 
degree to which difficult questions are raised and 
pursued with management, and its interaction with 


The SMTA Board or Audit Committee - The board and 
its audit committee play an important role in setting 
the tone at the top. Qualities include the board or 





Does the board include independent 
directors/members with appropriate background 
and expertise, given the nature of SMTA? 





Independence from management has been achieved, such 
that necessary, even if difficult and probing, questions are 
raised. 


y ES 








Has the independence of outside board members 
been adequately reviewed, including Y PS 
affiliations? 
Does the board constructively challenge 
management's planned decisions for strategic 

initiatives and major transactions, and probe for 7 
explanations of past results (e.g., budget 











= 
ariances)? 
Does the board and/or audit committee 
represent an informed, vigilant and effective No /D CA 
overseer of the financial reporting process and 
sufficient consideration to understanding 1) 
management's processes for monitoring business NE £ 
risks affecting the organization? 

ER, 









officers and employees (e.g., a small 
corporation) question and scrutinize activities, 
present alternative views and take appropriate 


Wo PEA 





Board committees are used, where warranted by the need 
for more in-depth or directed attention to particular 
matters. 


yes | 
yes 


Are the existing committees sufficient, in 
subject matter and membership, to deal with 


important issues adequately? 
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Description of 
SMTA control 





Control Objectives a 


he board or audit committee takes appropriate actions 
3 a result of its findings, including special investigations, 


Control Considerations 
Does the board specifically address 
management's adherence to the code of 


conduct? 
Has the board or audit committee issued 


directives to management detailing specific 


actions to be taken? 
Does the board or audit committee oversee and 


take prompt action to follow-up its findings? 














3 needed. 


ana ement's Ptilöso hy And Operating Style - Management's attitudes toward controls are reflected in how it accepts and 




















Tanagement evaluates business === prior to accepting 
10se risks (e.g., high risk ventures, extremely only after carefully analyzing the risks and y ë =Ñ 
onservative ventures). potential benefits of a venture? 

Are there appropriate policies for such matters 

as accepting new business and conflicts of s Ç 

interest which are adequately communicated Y E 
Aanagement monitors personnel turnover in key Has turnover of management or supervisory a 
unctions (e.g., operations, accounting, data processing, personnel been normal, rather than excessive? No DER 
nternal audit). Have key personnel left only after giving proper 

notice, rather than quitting unexpectedly or on y es 

short notice? 

Has turnover of personnel other than 

management been normal, rather than No LACA 

excessive? 





Management has the appropriate attitude relative to the 
nformation systems processing and payment & 
iccounting functions, and is concerned about the 
‘liability of financial reporting and the safeguarding of 
assets. 


Does management give appropriate attention to 
internal controls? 
Is the accounting function viewed as a vehicle 
for exercising control over the entity's various 
activities, rather than as a necessary group of 








Does the selection of accounting and 
government principles used in financial 

statements result in a fair presentation, as 
opposed to always resulting in the highest 


If the accounting function is decentralized, does 
operating management “sign off” on report 

results? 
Do business unit accounting personnel also have 
responsibility to central financial officers? 









Are valuable assets, including intellectual 
property and information, protected from 
unauthorized access or use? 
Do senior managers frequently visit projects or 
divisional operations? 
Are project or divisional management meetings 


held frequently? 
Is there a mechanism available to remotly 


access overall project progress? 
Does management avoid excessive focus on 
short-term reported results? 
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There is frequent interaction between senior management 
and operating management, particularly when operating 
from geographically remote locations-. 











Management has a positive attitude and takes appropriate 
actions toward financial / Government / Donor reporting, 


L1 JO 9 a3eg 
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Description of 
SMTA control 





Control Objectives u Control Considerations 


)elegated authority in relation to assigned Is there is an appropriate balance between 

esponsibilities is appropriate. authority needed to "get the job done" and the 
involvement of senior personnel where needed? 
Are employees at the “right” level of 








empowerment to correct problems or implement 
improvements, and is empowerment 
accompanied by appropriate levels of 
competence and clear boundaries of authority? 
Is responsibility for information systems 
processing and program development clear? 








Juman Resources Policies and Practices - Human resource policies and practices relate to hiring, training, evaluating, 
:ompensating and terminating employees. Management's expectations of performance and behavior are communicated 
:hrough training and performance review. 


Policies and procedures for hiring, training, promoting Are there policies and procedures for hiring, 
and compensating employees are in place. training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.g., 
a oun in 2 ale 
Do existing personnel policies and procedures 


result in recruiting or developing competent and 
People are made aware of their responsibilities and 
expectations for them. 


trustworthy people necessary to support an 
Remedial action taken in response to departures from 
approved policies and procedures are appropriate. 





















When formal documentation of policies and 
procedures does not exist, does management 
communicate expectations about the type of 
people to be hired or participate directly in the 






' 
Are new employees made aware of their 
responsibilities and management's expectations 





Do supervisory personnel meet periodically 
with employees to review job performance and 
uggestions for improvement? 
Is management's response to failures to carry 
out assigned responsibilities appropriate? 








Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





Do employees understand that ineffective 
performance will result in remedial 
conseguences? 
Are integrity and ethical values considered as 
criteria in performance appraisals? 
Are candidates with frequent job changes or 
gaps in employment history subjected to 

particularly close scrutiny? 
Do hiring policies require investigation for a 





effective internal control system? 
Personnel policies address adherence to appropriate 
ethical and moral standards. 
Employee candidate background checks, particularly 
with regard to prior actions or activities considered to be 
unacceptable by the entity, are performed. 


















criminal record? Y ES 
Employee retention, promotion criteria, information- Are promotion and salary increase criteria 
gathering techniques (e.g., performance evaluations) and detailed clearly so that individuals know what es 
relation to the code of conduct or other behavioral management expects prior to promotions or Y 
guidelines are adequate. advancement? 
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Description of 
SMTA control 





Control Considerations 


Do objectives include assessment criteria that 
are specific, measurable, achievable, realistic 
and time based? 









Control Objectives u 
Are current resources sufficient to achieve 
objectives or has management identified the 


\ctivity-level objectives are specific, measurable and are 
jonitored. Adequate resources are available to achieve 
he objectives. 
resources needed? 


wide objectives to be achieved? 
Are capital spending and expense budgets based 
on management's analysis of the relative 
All appropriate levels of management are involved in 
objective setting and demonstrate commitment to the 
objectives. 
Do managers support the objectives, and not 


factors provide a basis for particular 
Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
external and internal factors that could impact 











management focus? 
Do managers participate in establishing activity 


objectives for which they are responsible? 









Do procedures exist to resolve disagreements? 











Mechanisms are in place to identify risks arising from 
external sources. 


Are there adequate mechanisms in place to 
identify external risks that prevent the 





Technology changes 
Creditor's demands 





Competitor's actions 





Economic conditions 





— Political conditions 


m TOA 


\ 
Mechanisms are in place to identify risks arising from Are there adequate mechanisms in place to 
internal sources. identify internal risks that prevent the 
achievement of business objectives? Internal 
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Description of 
SMTA control 






Control Considerations 

Are there processes to ensure the accounting 
department is made aware of changes in the 
operating environment so they can review the 
changes and determine what, if any, effect 
change may have on the entity’s accounting 
oractices? 
Are there channels of communication between 
the accounting department and/or individual(s) 
in charge of monitoring regulatory rules so the 
accounting department is aware ofregulatory 
changes that could affect the entity’s accounting 
practices? 


Control Objectives 





yes 














yes 












Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 
determine whether such transactions are 

oriately accounted for and disclosed? 
Evaluate to what degree the DFA and Controller 
periodically review and approve the accounting 
practices as being in accordance with 

eeds of the issuer. 











the ability 
at each of its subsidiaries to properly report 
relevant information for disclosure purposes? 





DON? RNOR 


s in place to 
ement of cash V E 


Are there policies and procedures (info 









Control Activities ee ee A 
Policies and Procedures - Policies establish what should rmal or 
be done and procedures explain how it is carried out. documented) for generation of accounting 

Policies may be communicated orally or written. transactions and financial statements and over 


Regardless of method they must be implemented developing and modifying accounting systems 
conscientiously and consistently. 2 











es reviewed 
periodically to determine continued 


Are policies and procedur 
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Description of 





Control Objectives W 


ernal and internal information is obtained, and 
vides management with necessary reports on the 
ity's performance relative to established entity-wide 
jectives. 


Control Considerations 


e _ Do procedures require that management 
review control processes to ensure that the 











ontro are being app I CXD 
e Are procedures in pl 


controls are overridden and to determine if the 











s in place to assure 
n a timely basis 









Is internally generated information critical 
ity's objectives 


formation is provided to the right people in sufficient ° 
stail and on time to enable them to carry out their e 
:sponsibilities efficiently and effectively to achieve 
ctivity-level objectives. ° i 
for different levels of management: 
Is information summarized appropriately, 
nan d ea 0 
Is information available on a timely basis 
to allow effective monitoring of events and 
activities - internal and external - and prompt 









reaction to economic and business factors and 


Information systems provide management with necessary ty able to prepare accurate and 
reports on the entity’s performance relative to established 
objectives. 























timely financial reports, including interim 

e Is there a high level of user satisfaction 
with information systems processing, including 
eliability and timeliness oT repor o 


Internal controls over significant applications or e Has the internal control environment at the 
transactions that are executed/processed by service service organization been documented and 
organizations are effective. tested by an independent third party for the 











an 
e Does the timing of the documentation and 
testing performed by the independent third party 
cover a significant portion of the year? 









Communication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
dealing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 


and up an organization and with parties external to the organization. 


Employees' duties and control responsibilities are + Are employees’ roles and responsibilities 
effectively communicated. regarding internal control and risk assessment 
communicated clearly and effectively by 











e objectives of their 


own activity and how their duties contribute to 


un ose obiectives? 





+ Is there a way to communicate upstream 
through someone other than a direct superior, 


Channels of communication for people to report 
suspected improprieties have been established. 
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Description of 
SMTA control 





Control Objectives Control Considerations 





nd includes regular management 


[onitoring Fj š ps 


nsoing Monitoring - Ongoing monitoring occurs in the ordinary course of operations, a 
ıd supervisory activities, and other actions personnel take in performing their duties-that assess the quality of internal 
mtrol system performance. Note: Additional monitoring controls will be covered within the business process analysis sections. 


>rsomnel, in carrying out their regular activities, 
'gularly obtain evidence as to whether the system of 









e Are operating personnel required to “sign 
off’ on the accuracy of their units’ financial 
statements, and are they held responsible if 


e discovered? 


‘ommunications from external parties, that corroborates e Are customers’ complaints recorded and 
ıternally generated information or indicates problems, is investigated for their underlving causes? 
ffectively gathered and used. e Are suppliers' complaints of unfair 


iternal control continues to function. 





















practices by purchasing agents recorded and 
ıllv investigated? 

e Do regulators communicate information to 
the entity regarding compliance or other matters 
that reflect on the functioning of the internal 

9 
e _ Are controls that should have prevented or 
detected the problems reassessed? 


There is periodic comparison of amounts recorded by the | e Are there periodic comparisons of 
accounting system with ph sical assets. accounting records to ph sical assets? 


Management is responsive to internal and external e Do executives with proper authority decide 
auditor (or external regulator) recommendations on which of the auditors' recommendations will be 
















means to strengthen internal controls. implemented? 
e Are desired actions followed up to verify 
implementation? 
ions raised at 


e Are relevant issues and quest 
i N 4 












Management seeks feedback on whether controls operate 
effectively when conducting training seminars, planning 
sessions and other meetings. 












e Are employee suggestions communicated 


upstream and acted on as appro priate? 
e Does management monitor actions toward 


financial reporting, including disputes over 
application of accounting treatments? 





Management monitors actions toward financial reporting, 
including disputes over application of accounting 
treatments (e.g., selection of conservative vs. liberal 
accounting policies, whether accounting principles have 
been misapplied, important financial information not 
disclosed, or records manipulated or falsified). 

e Are signatures required to evidence 


Personnel are asked periodically to state whether they 
i 's code of conduct itical control functions, such 
and regularly perform critica 3 i i 


performance of cr 
ili ed amounts? 
The scope and extent of internal audit activities is + Are there appropriate levels of competent 
appropriate. and experienced staff? 
e Ts their position within the organization 


appropriate? 
i Do they have access to the board of 


directors/members or audit committee? 
e Are their scope, responsibilities and audit 
plans appropriate to the organization's needs? 
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Control Objectives 


Management has included the identification of fraud risks 


in its entity--wide risk assessment program or has 
established a separate risk assessment program that 
considers the vulnerability of SMTA to fraudulent 
activities. 


ov 
Description of 
SMTA control 






Control Considerations 

Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 

















Are there ongoing 
programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 

Do communications to external parties regularly 
state SMTA's position on fraudulent activity and 
the potential consequences if fraud is detected? 









Has management implemented and does it 
continuously monitor the operation of internal 


controls designed to mitigate the risk of fraud? 















Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 
appropriate influence over the financial 








Does the audit committee 
directors/members evaluate management's 
identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 









Does management review identified fraud risks 
with the audit committee and seek guidance 
from the audit committee as to other associated 





Do internal auditors examine and evaluate 
adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 
proactive auditing: to search for corruption, 
misappropriation of assets, and financial 
statement fraud? 

Does management perform 
sessions? 








fraud brainstorming 









Have critical controls been identified to address 
identified fraud risks? 


Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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GOVERNMENT OF SINDH 
Karachi Urban Mobility Project 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT 
DEPARTMENT 


No. CS/YLC/SMTA/2021/ 001 Karachi Dated: July 19, 2021 





Financial Management Specialist, 

V Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 
Karachi. 


SUBJECT: GOVERNANCE ASSESSMENT OF SINDH MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 
MOBILITY PROJECT). 








I am in recept of your letter reference number 
FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 
and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 


to you. 
COMMUNICATION SPECIALIST 
C.c to: 
l. PS to Project Director, Karachi Mobility Project. 
2. Master File. 
Enclosure: 


l. Filled-in Questionnaire 





House # D-43/1, Block 2 Clifton, Karachi, 75600 Tel: 021 99333208 Ext.30 Email: cs.kmp.yle@gmail.com 
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ENTITY LEVEL CONTROLS 


Control Objectives 
yntrol Environment 





egri 











C 


tv. ethical values, and behavior of ke executives - The effectiveness of 





Description of 
SMTA control 








ontrol Cons 


— 





iderations 








controls depends on the integrity and ethical 


ues of the people who create and administer them. The control environment is influenced by how management 
nmunicates ethical standards and reinforces them in practice - through policies and codes of conduct, and by example. 


des of conduct and other policies regarding acceptable 
siness practices, conflicts of interest, or expected 
ndards of ethical or moral behavior exist and have 

en implemented. . 





Given the nature of the SMTA's operations, all 
significant laws and regulations that could directly or 
indirectly lead to a material misstatement of the financial 
statements have been complied with. (Examples of the 
types of laws and regulations that may affect SMTA are: 
Generally applicable laws and regulations - Taxation; 
occupational safety and health; environmental protection; 
labor, employment, benefits, and immigration; price- 
fixing or other antitrust violations; unclaimed or 
abandoned property (escheat); bankruptcy; Foreign 
Corrupt Practices Act;AML; USNC Designated Persons; 
patents and trademarks; Uniform Commercial Code; 
personal injury; product liability; state and local; HIPAA 
Industry-specific laws and regulations - Food and Drug 
Administration; banking; insurance, communications; 











Are there codes of conduct regarding acceptable 
business practices, conflicts of interest, or 
expected standards of ethical or moral behavior 
and have they been implemented and 
communicated effectively? 








Are the codes comprehensive, addressing 
conflicts of interest, illegal or other improper 
payments, anti-competitive guidelines, and 
insider trading? 





Are the codes periodically acknowledged by all 


employees? 
Are training programs conducted to ensure that 


employees understand the codes of conduct? 














Is compliance with the codes of conduct 
monitored and appropriate disciplinary action 
taken when violations occur? 

If a written code of conduct does not exist, does 
the management culture emphasize the 
importance of integrity and ethical behavior by 
communicating orally in staff meetings, in one- 
on-one interface, or by example when dealing 
with day-to-day activities? 

Do the employees understand what behavior is 
acceptable or unacceptable, and know what to 


do if they encounter improper behavior? | 


ÉS 
Does management and/or counsel monitor 
changes in significant laws and regulations that 
affect the business and implement an 
er Y DONT Know 
appropriate changes in company policies or 
business practices in a timely manner? 


Is a register and record of complaints En 
maintained regarding significant laws with Process 
which the entity is required to comply within its 











Are periodic representations obtained from 
executives and other employees concerning 
compliance with laws and regulations? 


Yes 





Are actual loss events arising from violations of 
laws and regulations regularly identified, 
measured, and reported? 
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Description of 
SMTA control 





Control Objectives u Control Considerations 
rma: ur Informal job descriptions or other means of Has management analyzed, on a formal or 
fining tasks that comprise particular jobs have been informal basis, the tasks comprising particular 
ablished. jobs, considering such factors as the extent to 
which individuals must exercise judgment and 









he extent of related pervision? 
Has management adequately determined the 
knowledge and skills needed to perform 


particular 
Does evidence exist indicating that employees 


and key managers appear to have the requisite 
knowledge and skills for their job functions? 


1alyses of the knowledge and skills needed to perform 
bs adequately have been performed. 


















Does management demonstrate a commitment 
to provide sufficient competent accounting and 
financial personnel to keep pace with the growth 


and/or complexity of the business? 
“he SMTA Board or Audit Committee - The board and 


ts audit committee play an important role in setting 
he tone at the top. Qualities include the board or 
audit committee's independence from management, 
the experience and stature of its members, the extent 
of its involvement and oversight of activities, the 
degree to which difficult questions are raised and 
pursued with management, and its interaction with 


Independence from management has been achieved, such Does the board include independent 
that necessary, even if difficult and probing, questions are directors/members with appropriate background 
raised. and expertise, given the nature of SMTA? 









Has the independence of outside board members 
been adequately reviewed, including 
affiliations? 
Does the board constructively challenge 
management's planned decisions for strategic 
initiatives and major transactions, and probe for 
explanations of past results (e.g., budget 
ariances)? 
Does the board and/or audit committee 
represent an informed, vigilant and effective 
overseer of the financial reporting process and 
MTA’s internal controls? 
Does the board and/or audit committee give 
sufficient consideration to understanding 
management's processes for monitoring business 
risks affecting the organization? 
Does a board that consists solely of an entity’s 
officers and employees (e.g., a small 
corporation) question and scrutinize activities, 
present alternative views and take appropriate 
action if necessarv? 
Do board committees exist? 






























Board committees are used, where warranted by the need 
for more in-depth or directed attention to particular 
matters. 


Are the existing committees sufficient, in 
subject matter and membership, to deal with 
important issues adequately? 
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Description of 


Control Objectives Control Considerations SMTA control 


— ME the board specifically address 





management's adherence to the code of 
conduct? 


he board or audit committee takes appropriate actions Has the board or audit committee issued 
; a result of its findings, including special investigations, directives to management detailing specific 


-< 
Y 





7 
v 





s needed. 





Does the board or audit committee oversee and 
take prompt action to follow-up its findings? y E 
Management's Philosophy And O erating Style - Management's attitudes toward controls are reflected in how it accepts and 
nanages business risks. Management may be conservative or aggressive in selecting accounting p rinciples and in develo ping 
Vlanagement evaluates business risks prior to accepting Does management move cautiously, proceeding 
hose risks (e.g., high risk ventures, extremely only after carefully analyzing the risks and 


sonservative ventures). potential benefits of a venture? 

Are there appropriate policies for such matters 

as accepting new business and conflicts of 

interest which are adequately communicated 
roughout the organization? 

Has turnover of management or supervisory 

personnel been normal, rather than excessive? 


pa 
Y 








Mm 





ri 
a 
V 








Management monitors personnel turnover in key 
functions (e.g., operations, accounting, data processing, 
Internal audit). 





Have key personnel left only after giving proper 

notice, rather than quitting unexpectedly or on 

short notice? 

Has turnover of personnel other than 

management been normal, rather than 

excessive? 

Does management give appropriate attention to 

internal controls? 

Ts the accounting function viewed as a vehicle 

for exercising control over the entity's various 

activities, rather than as a necessary group of 

ore keepers"? 

Does the selection of accounting and 

government principles used in financial 

statements result in a fair presentation, as 

opposed to always resulting in the highest 
‘aca? 

If the accounting function is decentralized, does 

operating management “sign off” on report 

results? 

Do business unit accounting personnel also have 

responsibility to central financial officers? 


ON EMO 
Management has the appropriate attitude relative to the 
information systems processing and payment & 
accounting functions, and is concerned about the 
reliability of financial reporting and the safeguarding of 
assets. 














Are valuable assets, including intellectual 
property and information, protected from 
unauthorized access or use? 

Do senior managers frequently visit projects or 
divisional operations? 

Are project or divisional management meetings 


held frequently? 
Ts there a mechanism available to remotly 


access overall project progress? 





There is frequent interaction between senior management 
and operating management, particularly when operating 
from geographically remote locations-. 













Management has a positive attitude and takes appropriate 
actions toward financial / Government / Donor reporting, 


Does management avoid excessive focus on 
short-term reported results? 
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Control Objectives 
zlegarcd authority in relation to assigned 
sponsibilities is appropriate. 


Is there is an appropriate balance between 
authority needed to "get the job done" and the 
involvement of senior personnel where needed? 
Are employees at the “ri t” level of 
empowerment to correct problems or implement 
improvements, and is empowerment 









Description of 
SMTA control 


u Control Considerations 


accompanied by appropriate levels of 


competence and clear boundaries of authority? 





Is responsibility for information systems 
processing and program development clear? 





Juman Resources Policies and Practices - Human resource policies and practices relate to hiring, training, evaluating, 
‘ompensating and terminating employees. Management's expectations of performance and behavior are communicated 


hrough training and performance review. 


olicies and procedures for hiring, training, promoting 
and compensating employees are in place. 


People are made aware of their responsibilities and 
expectations for them. 








Remedial action taken in response to departures from 
approved policies and procedures are appropriate. 


Personnel policies address adherence to appropriate 
ethical and moral standards. 
Employee candidate background checks, particularly 


unacceptable by the entity, are performed. 


Employee retention, promotion criteria, information- 


gathering techniques (e.8., performance evaluations) and 


relation to the code of conduct or other behavioral 
guidelines are adequate. 


Are there policies and procedures for hiring, 
training, evaluating, promoting, compensating, 
transferring, and terminating personnel that are 
applicable to all functional areas (e.8., 

ountine. sales)? 

existing personnel policies and procedures 

i iting or developing co 

effective internal control system? 
When formal documentation of policies and 
procedures does not exist, does management 


Is management's response to failures to carry 
out assigned responsibilities appropriate? 

Is appropriate corrective action taken as a result 
of non-adherence to established policies? 





with regard to prior actions or activities considered to be 






















communicate expectations about the type of 
people to be hired or participate directly in the 
< vail 












Are new employees made aware of their 

responsibilities and management's expectations 

of them? Y S 
sory personnel meet periodically 

with employees to review job performance and y 

suggestions for improvement? ES 








Do employees understand that ineffective 
performance will result in remedial 
consequences? 

Are integrity and ethical values considered as 
criteria in performance appraisals? 

Are candidates with frequent job changes or 
gaps in employment history subjected to 
particularly close scrutiny? 





management expects prior to promotions or 
advancement? 
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Description of 
SMTA control 





Control Objectives € Control Considerations 


Are activity level objectives consistent with past 
practices and performances or with industry or 
functional metrics, and have the reasons for 





variances been considered? 
Are objectives established for each significant 
activity? 


\ctivity-level objectives are specific, measurable and are Do objectives include assessment criteria that 
nonitored. Adequate resources are available to achieve are specific, measurable, achievable, realistic 
he objectives. and time based? 





Are objectives monitored on a regular basis? 
Are current resources sufficient to achieve 
objectives or has management identified the 
resources needed? 


Objectives that are important (critical success factors) to Has management identified what must go right, 
achievement of entity-wide objectives are identified. avoided, for entity- 
Are capital spending and expense bu 


a 








on management's analysis of the relative 
importance of objectives? 

Do the objectives serving as critical success 
factors provide a basis for particular 
management focus? 


All appropriate levels of management are involved in Do managers participate in establishing activity 
objective setting and demonstrate commitment to the objectives for which they are responsible? 
objectives. 

Do managers support the objectives, and not 

















have "hidden agendas? 
Risks - An entity's risk-assessment process should identify and consider the implications of relevant risks, at both the entity 
level and the activity level. The risk-assessment process should consider external and internal factors that could impact 

achievement of the objectives, should analyze the risks, and provide a basis for managing them. 








Mechanisms are in place to identify risks arisin 
external sources. 


g from Are there adequate mechanisms in place to 
identify external risks that prevent the 


achievement of business objectives? External 











Technology changes 


Creditor's demands 





Competitor's actions 
Economic conditions 





Political conditions 


— Regulation 


Are there adequate mechanisms in place to 
identify internal risks that prevent the 
achievement of business objectives? Internal 


Mechanisms are in place to identify risks arising from 
internal sources. 
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Control Objectives 


Control Activities 


Policies and Procedures - Policies establish what should 
be done and procedures explain how it is carried out. 





Policies may be communicated orally or written. 
Regardless of method they must be implemented 
conscientiously and consistently. 











Description of 
SMTA control 






Control Considerations 

Are there processes to ensure the accounting 
department is made aware of changes in the 
operating environment so they can review the 
changes and determine what, if any, effect 
change may have on the entity’s accounting 








Did 

Are there channels of communication between 
the accounting department and/or individual(s) 
in charge of monitoring regulatory rules so the 
accounting department is aware of regulatory 


changes that could affect the entity’s accounting 
practices? 









Are there processes to ensure the accounting 
department (and board of directors/members 
and/or audit committee) is aware of significant 
transactions with related parties so they can 





Does the DFA or Controller review and assess 
the ability and expertise of accounting personnel 
at each of its subsidiaries to properly report 

relevant information for disclosure purposes? 






Are there controls in place to ensure relevant 
information is captured at the lowest level to 
ensure proper reporting at the consolidated 





Are there policies and procedures in place to 
ensure the preparation of the statement of cash 
flows is in accordance with applicable 

frameworks? 


Are there policies and procedures (informal or 
documented) for generation of accounting 

transactions and financial statements and over 
developing and modifying accounting systems 


ana coniro 2 
Are accounting and closing practices followed 
consistently at interim dates (e.g. monthly, 
quarterly) throughout the year? 

Do appropriate levels of management review 
significant accounting estimates and support for 
unusual transactions and non-standard journal 
entries? 

Is documentation for transactions timely and 
appropriate? 

Are policies and procedures reviewed 
periodically to determine continued 
appropriateness? 
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Description of 
SMTA control 





Control Objectives Control Considerations 
MN 
1 La 
ajectives. e Are procedures in place to monitor when 
controls are overridden and to determine if the 
i N OW 





e Are polic 

that corrective action is taken 
ontrol exceptions occur? 

e Is internally generated information critical 

to achievement of the entity's obj ectives 


dentified and regula ported? 








«ternas and internal information is obtained, and e Do procedures require that management 
ovides management with necessary reports on the review control processes to ensure that the 
itity's performance relative to established entity-wide are being applied as expected? 


e Do managers receive information that 
enables them to identify what action needs to be 
aken? 
e Is information provided at the right level o 
detail for different levels of manag ement? 
e Is information summarized appropriately, 
providing pertinent information while 
permitting closer inspection of details as needed 
han i a "sea of data"? 
e Ts information available on a timely basis 
to allow effective monitoring of events and 
activities - internal and external - and prompt 
reaction to economic and business factors and 


nformation is provided to the right people in sufficient 
letail and on time to enable them to carry out their 
‘esponsibilities efficiently and effectively to achieve 
ıctivity-level objectives. 








































Information systems provide management with necessary e Is the entity able to prepare accurate and 
reports on the entity’s perfermance relative to established timely financial reports, including interim N 
objectives. eports? RW 
e _Is there a high level of user satisfaction 
with information systems processing, including N 
eliability and timeliness of reports? QN 








ant functions? 
e Does the timing of the documentation and 


testing performed by the independent third party 
cover a significant portion of the year? 









Internal controls over significant applications or e Has the internal control environment at the 
transactions that are executed/processed by service service organization been documented and 
organizations are effective. tested by an independent third party for the 





Communication - Communication is inherent in information processing. Communication also takes place in a broader sense, 
dealing with expectations and responsibilities of individuals and groups. Effective communication must occur down, across 
and up an organization and with parties external to the organization. 











e Are employees’ roles and responsibilities 
regarding internal control and risk assessment 
communicated clearly and effectively by 

en 2 

e Do employees know the objectives oftheir 
own activity and how their duties contribute to 


Employees' duties and control responsibilities are 
effectively communicated. 














e Isthere a way to communicate upstream 
through someone other than a direct superior, 
idsman or corporate counsel? 


Channels of communication for people to report 
suspected improprieties have been established. 
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Description of 





Control Objectives Control Considerations SMTA control 
— u e Is senior management aware ofthe nature 
and volume of complaints? U 
fonitoring El DOS i 





ngoing Monitoring - Ongoing monitoring occurs in the ordinary course of operations, and includes regular management 


nd supervisory activities, and other actions personnel take in performing their duties that assess the quality of internal 
antrol system performance. Note: Additional monitoring controls will be covered within the business process analysis sections. 


ersonnel, in carrying out their regular activities, 
2gularly obtain evidence as to whether the system of 









e Are operating personnel required to “sign 
off” on the accuracy of their units’ financial 
statements, and are they held responsible if 


Sommunications from external parties, that corroborates e Are customers’ complaints recorded and 
nternally generated information or indicates problems, is investigated for their underlying causes? 
»ffectively gathered and used. e  Aresuppliers' complaints of unfair 


aternal control continues to function. 



















practices by purchasing agents recorded and 

fully investigated? 

e Do regulators communicate information to 
the entity regarding compliance or other matters 
that reflect on the functioning of the internal 

2 
e _ Are controls that should have prevented or 
detected the problems reassessed? 
+ Are there periodic comparisons of 
accounting records to physical assets? 
° Do executives with proper authority decide 
which of the auditors’ recommendations will be 
implemented? 

+ Are desired actions followed up to verify 
implementation? 

e Are relevant issues and questions raised at 
ing seminars captured? 

+ Are employee suggestions communicated 
upstream and acted on as appro priate? 


e Does management monitor actions toward 
financial reporting, including disputes over 
application of accounting treatments? 


e Are signatures required to evidence 
performance of critical control functions, such 
na veconciline sach 

Are there appropr 
and experienced staff? 
e Is their position within the organization 


appropriate? 
Do they have access to the board of 

directors/members or audit committee? 

e Are their scope, responsibilities and audit 

plans appropriate to the organization's needs? 


















There is periodic comparison of amounts recorded by the | | 
accounting system with physical assets. 

Management is responsive to internal and external 
auditor (or external regulator) recommendations on 
means to strengthen internal controls. 





















Management seeks feedback on whether controls operate 
effectively when conducting training seminars, planning 


sessions and other meetings. 














Management monitors actions toward financial reporting, 
including disputes over application of accounting 
treatments (e.g., selection of conservative vs. liberal 
accounting policies, whether accounting principles have 
been misapplied, important financial information not 
disclosed, or records manipulated or falsified). 

















and regularly perform critical control activities. 
The scope and extent of internal audit activities is 


appropriate. 
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Description of 
SMTA control 





Control Considerations 

Are there effective policies that minimize the 
chance of hiring or promoting individuals with 
low levels of honesty, especially for positions of 


Control Objectives 











Nos 





MTA react to and deal with acts of fraud 
in a manner that sends a strong message 
throughout SMTA that helps reduce the 
likelihood of future incidents? 

Are there ongoing internal fraud communication 


programs (e.g., posters, training seminars, 
conferences) and are management and 
employees required to participate to an 
appropriate extent? 

Do communications to external parties regularly 
state SMTA's position on fraudulent activity and 
the potential consequences if fraud is detected? 

















Has management implemented and does it 
continuously monitor the operation of internal 
controls designed to mitigate the risk of fraud? 








Does the audit committee or board of 
directors/members consider the potential for 
management override of internal controls and its 
appropriate influence over the financial 
process? 








Management has included the identification of fraud risks 
in its entity--wide risk assessment program or has 
established a separate risk assessment program that 
considers the vulnerability of SMTA to fraudulent 
activities. 








Does the audit committee 
directors/members evaluate management's 
identification of fraud risks, implementation of 
antifraud measures, and the “tone at the top”? 





Does management review identified fraud risks 
with the audit committee and seek guidance 
from the audit committee as to other associated 


Do internal auditors examine and evaluate 
adequacy of internal controls designed to reduce 
fraud risk or do internal auditors conduct 

proactive auditing: to search for corruption, 
misappropriation of assets, and financial 


statement fraud? 
Does management perform frau 
sessions? 











Have critical controls been identified to address 
identified fraud risks? 

Do certified fraud examiners assist the audit 
committee or board of directors/members with 
the oversight process? 
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GOVERNMENT OF SINDH 
Karachi Urban Mobility Project 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
TRANSPORT & MASS TRANSIT 
DEPARTMENT 


No. PCMS/YLC/SMTA/2021/ 001 Karachi Dated: July 16, 2021 





Financial Management Specialist, 

Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 

Karachi. 


GOVERNANCE ASSESSMENT OF SINDH_MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 


MOBILITY PROJECT). 





SUBJECT: 





I am in receipt of your letter reference number 


FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 


and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 





to you. 
PROCU CONTRACT 
MANAGE PECIALIST 
C.c to: 
1. PS to Project Director, Karachi Mobility Project. 
2. Master File. 
Enclosure: 


1. Filled-in Questionnaire 





House # D-43/1, Block 2 Clifton, Karachi, 75600 Tel: 021 99333208 Ext.30 Email: pems.kmp.yle@gmail.com 


GOVERNMENT OF SINDH 
Karachi Urban Mobility Project 
(YELLOW LINE BRTS) 
SINDH MASS TRANSIT AUTHORITY 
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No. PCMS/YLC/SMTA/2021/ 001 Karachi Dated: July 16, 2021 





Financial Management Specialist, 

Karachi Mobility Project — Yellow Line BRTS, 
Government of Sindh, 

Karachi. 


GOVERNANCE ASSESSMENT OF SINDH_MASS TRANSIT 
AUTHORITY UNDER THE IBRD LOAN NO. 8995-PK (KARACHI 
MOBILITY PROJECT). 


SUBJECT: 








I am in receipt of your letter reference number 


FMS/CG/YLC/SMTA/2021/L256, dated July 01, 2021 regarding your request to fill in 
the Questionnaire duly approved by the World Bank for an overall Governance Structure 


and Internal Controls of Sindh Mass Transit Authority. 


Please find enclosed herewith the filled-in copy of the aforementioned 
Questionnaire as requested. The same in excel spreadsheet format has also been emailed 


to you. 





PROCURE 
MANAGEMENT SPECIALIST 


C.c to: 
1. PS to Project Director, Karachi Mobility Project. 


2. Master File. 


Enclosure: 
1. Filled-in Questionnaire 
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